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VOLUME  V 
IN  THE  UNITED  STATES  ARMY 

UNITED  STATES 
VS. 

MANNING,    Bradley  E.,    PFC  COURT-MARTIAL 
U.S.   Army,    xxx— xx— 9504 

Headquarters  and  Headquarters  Company, 

U.S.   Army  Garrison, 

Joint  Base  Myer— Henderson  Hall, 

Fort  Myer,   VA  22211 

 / 

The  Hearing  in  the  above— titled  matter  was 
continued  on  Tuesday,    June  11,    2013,   at  1:45  p.m.,  at 
Fort  Meade,   Maryland,   before  the  Honorable  Colonel 
Denise  Lind,  Judge. 
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DISCLAIMER 
This  transcript  was  made  by  a  court 
reporter  who  is  not  the  official  Government  reporter, 
was  not  permitted  to  be  in  the  actual  courtroom  where 
the  proceedings  took  place,   but  in  a  media  room 
listening  to  and  watching  live  audio/video  feed,  not 
permitted  to  make  an  audio  backup  recording  for  editing 
purposes,    and  not  having  the  ability  to  control  the 
proceedings  in  order  to  produce  an  accurate  verbatim 
transcript . 

This  unedited,    uncertified  draft  transcript 
may  contain  court  reporting  outlines  that  are  not 
translated,   notes  made  by  the  reporter  for  editing 
purposes,   misspelled  terms  and  names,   word  combinations 
that  do  not  make  sense,    and  missing  testimony  or 
colloquy  due  to  being  inaudible  by  the  reporter. 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


APPEARANCES : 

ON  BEHALF  OF  GOVERNMENT: 
MAJOR  ASHDEN  FEIN 
CAPTAIN  JOSEPH  MORROW 
CAPTAIN  ANGEL  OVERGAARD 
CAPTAIN  HUNTER  WHYTE 
CAPTAIN  ALEXANDER  van  ELTEN 

ON  BEHALF  OF  ACCUSED: 
DAVID  COOMBS 
CAPTAIN  JOSHUA  TOOMAN 
MAJOR  THOMAS  HURLEY 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 

4 

INDEX 
June  11,  2013 


WITNESS:      KENNETH  MOSER  Page 

DIRECT  EXAMINATION  6 

CROSS  EXAMINATION  18 

WITNESS:      DAVID  SHAVER  Page 

DIRECT  EXAMINATION  23 

CROSS  EXAMINATION  30 

REDIRECT  EXAMINATION  38 

RECROSS  EXAMINATION  4  6 

REDIRECT  EXAMINATION  53 

REDIRECT  EXAMINATION  54 

CROSS  EXAMINATION  86 

CONTINUED  REDIRECT  EXAMINATION  126 

RECROSS  EXAMINATION  138 

CONTINUED  REDIRECT  EXAMINATION  142 

EXAMINATION  BY  THE  COURT  144 

CONTINUED  REDIRECT  EXAMINATION  147 

CONTINUED  RECROSS  EXAMINATION  147 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


PROCEEDINGS, 
THE  COURT:      Court  is  called  to  order. 

Major? 

MR.   FEIN:     Your  Honor,    all  parties  when  the 
court  last  recessed  are  again  present. 

Captain  Morrow  is  also  present . 

THE  COURT:      Is  the  government  ready  to 

proceed? 

THE  PROSECUTION:      The  United  States  calls 
Mr .   Kenneth  Moser . 

THE  COURT:  I  didn't  ask  the  parties  if 
there  are  any  issues  we  needed  to  address,  I  assume 
there  are  none? 

THE  PROSECUTION:     No,  ma'am. 

Whereupon, 

KENNETH  MOSER, 
called  as  a  witness,   having  been  first  duly  sworn  to 
tell  the  truth,    the  whole  truth,    and  nothing  but  the 
truth,   was  examined  and  testified  as  follows : 

THE  PROSECUTION:       (INAUDIBLE) . 

THE  WITNESS:     Yes,  sir. 
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DIRECT  EXAMINATION  BY  THE  PROSECUTION: 
Q  Mr.   Moser,   what  is  your  military 

background? 

A  21  years  in  the  Air  Force  since  I  retired. 

Q  What  did  you  do  in  the  Air  Force? 

A  (INAUDIBLE) . 

Q  When  did  you  retire? 

A  In  2009. 

Q  What  did  you  do  after  retirement? 

A  I  got  hired  at  unit  Central  Command  working 

as  a  command  paralegal  manager . 

Q  What  do  you  do  as  command  paralegal 

manager? 

A  I  oversee  office,   manpower,   budget  IT, 

small    (INAUDIBLE) . 

Q  And  where  are  you  assigned? 

A  I  am  at  US  Central  Command  down  at  Tampa. 

Q  How  much  do  you  work  with  classified 

information  at  that  position? 
A  On  a  daily  basis . 

Q  What  are  some  of  the  ways  you  work  with 
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classified  information? 

A  Documents,    e-mails,    receive  a  lot  of 

e-mails  that  are  classified.     Handling  documents, 
drafting  documents  that  will  be  classified. 

Q  How  do  you  identify  classified  information? 

A  For  a  document  it  would  be  at  the  top  and 

bottom  of  a  page  marked  what  the  classification  level 
is  . 

Also  you'll  see  paragraphs  that  are  marked 
appropriately  so  you  might  have  one  paragraph  that ' s 
unclassified  and  the  next  paragraph  would  be  the 
classified  marking. 

Q  When  did  you  first  become  involved  in  this 

case? 

A  Approximately  three  years  ago  I ' d  say . 

Q  Let ' s  talk  a  little  bit  about  your  work 

with  the  CENTCOM  website .     What  do  you  do  for  the 
CENTCOM  website? 

A  I'm  the  Sharepoint  portal  manager. 

Q  What  is  Sharepoint? 

A  SharePoint  is  a  Microsoft  product 
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collaboration  tool  that  our  command  uses  for 
information,    sharing  and  storage  of  documents . 

Q  What  do  you  do  to  manage  it? 

A  I  initially  —  when  we  went  to  our  newest 

Sharepoint  version  I  built  the  sites,   the  look,  and 
feel  of  them.     And  then  I  post  documents  out  there,  set 
up  folders,    set  up  different  libraries  for  our 
different  sections  in  our  office  that  they  can  then  use 
to,   you  know,   as  they  see  fit  for  their  sections. 

Q  What  version  of  SharePoint  was  the  CENTCOM 

website  running  in  2009,  2010? 

A  It  would  have  been  SharePoint  2007. 

Q  How  long  have  you  been  working  with 

SharePoint  at  CENTCOM? 

A  When  I  initially  got  there  in  2005,  active 

duty,    I  got  there  2005  and  then  we  started  using 
SharePoint  probably  late  2007,    2008  timeframe. 

Q  Who  had  access  to  the  CENTCOM  website  in 

2009  and  2010? 

A  The  CENTCOM  overall  website?     Anybody  who 

had  access  to  it,   had  SIPR  access,   could  get  onto 
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CENTCOM  sites  and  had  a  lot  of  information  from  our 
components  that  they  could  get  on  there,  get 
information  if  they  needed  to. 

Q  Specifically  what  portion  do  you  manage? 

A  I  manage  the  SJA,   the  Staff  Judge  Advocates 

portal  site . 

Q  Who  had  access  to  that  SJA  portal  site  in 

2009,  2010? 

A  For  the  home  page  anybody  who  had  access  to 

the  CENTCOM  SIPR  page  could  get  access  to  our  home 
page .     And  then  we  had  a  legal  document  library  that 
was  in  there  that  was  open  to  the  public .     And  then  we 
had  a  few  other  sites  that  we  had  blocked  out  some 
other  permissions   just  for  personnel  site  in  our 
office . 

Q  What  kind  of  information  was  in  the  legal 

document  library? 

A  We  just  tried  to  put  a  lot  of  information 

out  there  for  our  people  that  were  out  in  the  fields, 
just  a  lot  of  references,    checklists,   maybe  AMHS 
messages,    FRAGOs .      Just  information  that  they  might 
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need  to  do  their  duty . 

Q  How  often  have  you  used  this  website  since 

2005? 

A  How  often  have  I  used  it?     When  we  started 

using  it  in  late  2007/2008  we  didn't  use  it  as 
frequently  as  we  do  now.     We  use  it  almost  exclusively. 
We  had  hung  the  documents  out  there  over  a  period  of 
time  and  so  I  would  say,   you  know,   on  a  weekly  basis  we 
do  a  little  bit  here  and  then  get  on  it,   get  on  the 
site  and  put  stuff  on  there. 

Q  How  often  do  you  personally  use  it? 

A  Myself?     Back  then  probably  I ' d  say  once  a 

week.      I  mean,   to  get  on  the  CENTCOM  home  page  portal 
site  every  day,   that's  your  setting  on  your  home  page. 
On  our  site,   you  know,    couple  times  a  week  I'd  always 
be  on  it . 

Q  How  many  portals  were  there  in  2009/2010? 

A  We  had  a  releaseable  portables  and 

non— releasable  portals . 

Releasable  just  meant  that  it  was  open  to 
some  of  our  coalition  countries .     When  you  went  on 
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there  it  had  a  purple  banner  and  it  read  rel .   to,  the 
country,    Great  Britain,   New  Zealand. 

Q  What  kind  of  information  was  in  that 

portal? 

A  On  the  rel.   portal?     It  would  be 

information  that  was  either  unclassified  or  information 
that  was  releasable  to  those  countries  that  were  out 
there . 

Q  What  was  the  non— releasable  portal? 

A  The  non— releasable  portal  was  for  US  only 

or  secret,    no  foreign.     And  it  was  only  —  it  was 
locked  down  to  just  those  US  personnel  that  had  access 
to  the  SIPR. 

Q  Who  primarily  used  this  portal? 

A  The  secret  portal?     Just  about  everybody  in 

the  Command  tended  to  use  the  secret  non-releasable 
more  than  the  rel.      It  was  easier  that  way  to  try  to 
avoid  having  some  sort  of  spillage  than  putting 
something  on  the  releasable  portal  that  shouldn ' t  be 
there . 

THE  PROSECUTION:     We're  retrieving 
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Prosecution  Exhibit   91  for  identification. 


BY  MR.  PROSECUTION: 


Q 


Mr.   Moser,    can  you  see  that  on  the  screen? 


A 


Yes  . 


Q 


What  is  it? 


A 


It ' s  a  snapshot  there  of  our  non— releasable 


portal 


page, 


the  CENTCOM  home  page  there . 


Q 


How  do  you  recognize  it? 


A 


We  got  our  leadership  there  in  the  center, 


2007  version.      That  was  who  the  leadership  was. 

And  then  at  the  top  it  has  the  secret 
SIPRNET.      That's  what  it  has  on  it.      So  and  then  the 
left-hand  corner,   that's  the  CENTCOM  logo,  United 
States  Central  Command  SIPRNET .      That  was  the  home 
page . 

Q  Does  this  accurately  reflect  how  the 

website  looked  in  2009  and  2007? 
A  Yes,  sir. 

Q  What  is  accessible  from  this  web  page? 

A  Most  of  the  stuff  on  the  left  side  would  be 

accessible  to  open  up  to  the  public  and  then  there's  a 
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banner,    it's  not  shown  on  there,   that  goes  across  it. 
It  had  all  the  different  organization,   all  the 
different  diplomats .     They  would  have  drop  down  menus 
that  you  could  go  to  their  sites  as  well  their  home 
pages . 

Q  Do  you  recognize  this  document? 

THE  COURT:     What  is  that  document?     Is  it 
part  of  the  same  exhibits? 

THE  PROSECUTION :      Yes . 

A  That  is  a  snapshot  of  our  SSJA,   the  home 

page  of  the  non-releasable  portal . 

Q  How  would  a  user  navigate  to  the  home  page? 

A  From  the  home  page  they  could  have  gone  to 

the  organization  and  seen  Special  Staff  and  JA  would 
have  fell  underneath  the  Special  Staff  and  that ' s  why 
it  has  a  non-releasable  JA  site  there . 

Q  How  do  you  recognize  it? 

A  Those  were  personnel  that  were  in  our 

office  that  they  have  —  and  over  on  the  left— hand 
side,   the  areas  of  expertise,    CENTCOM  legal  document 
library.     Post  government  employer.      Those  are  all 
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stuff  that  were  on  our  site. 

Q  Do  you  recognize  this  document? 

A  Yes,    sir.      That  is,    looks  like  all  the 

folders  that  we  had  at  the  time  in  our  CENTCOM  legal 
document  library . 

Q  How  often  did  you  work  with  this  library? 

A  Like  I  said,   maybe  a  few  times  a  week  back 

then,    depending  on  what  folder.     We  might  get  one 
document  that,   you  know,    document  in  it  or  one  PDF  file 
in  a  particular  folder. 

Q  Who  at  CENTCOM  used  this  library  primarily? 

A  This  is  open  to  our  command  and  it  was  open 

to  those  personnel,    like  I  said,   that  were  in  theater 
that  could  have  access  to  this  page.     This  is  where  we 
tried  to  hang  a  lot  of  information  out  there  for 
personnel  to  get  access  to. 

Q  Do  you  recognize  this  page? 

A  Yes,    sir.      That's,    that  was  an 

investigation  that  we  had.     It  was  under  the 
investigations  library.      That  was  our  folder  under  the 
CENTCOM  legal  document  library. 
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Q  What  was  the  fraud  investigation? 

A  It  was  a  CIC  code  investigation  from 

Afghanistan,  casualty. 

Q  When  was  this,   when  was  this  folder  on 

CENTCOM's  website? 

A  Back  around  2008  when  we  had  the  SharePoint 

site  we  started,   this  would  be  one  of  the  folders  that 
we  created  under  the  investigation  folders . 

Q  What  was  the  investigations  folder  used  for 

primarily? 

A  We  had  put  some  of  the  investigations  out 

there  just  kind  of  a  storage  place  for  documents . 

Q  Who  primarily  accessed  this? 

A  Mainly  it  was  personally  in  our  office, 

like  I  said,    anything  under  the  CENTCOM  legal  document 
library  was  opened  up  to  those  US  personnel  that  had 
access  to  it . 

Q  How  would  somebody  navigate  to  this  folder? 

A  Under  the  CENTCOM  legal  document  library 

you  would  have  had  a  folder  called  investigations . 
They  would  click  on  that  folder  and  it  brought  up  this 
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particular  investigation. 


Q 


Do  you  recognize  this  document? 


A 


Yes,  sir. 


Q 


What  is  it? 


A 


Those  were  subfolders  under  the  Farah 


investigation . 


Q 


And  what  would  have  been  in  these  folders . 


A 


It  would  have  been  information  contained 


from  the  investigation.     You  see  the  folders'   names  and 
e-mails  and  logistics  of  the  people  that  were 
investigating  or  e-mails  from  investigation  briefs. 
There's  videos,   which  would  contain  videos  of  the 
investigation . 

Q  When  would  this  folder  have  been  on  the 

CENTCOM  website? 

A  During  the  same  time  it  was  created  when 

the  Farah  investigation  folder  was  started. 

Q  Who  had  access  to  it? 

A  Once  again,   the  same  personnel.      It's  been 

open  to  those  personnel  that  had  access  to  the  CENTCOM 
non-releasable  portal  site . 
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Q  Do  you  recognize  this? 

A  Yes,  sir. 

Q  What  is  it? 

A  Those  were  folders,    zip  files  that  had 

videos  in  it  that  were  included  in  the,   they're  under 
the  video  folders  of  the  Farah  investigation. 

Q  Why  were  they  there? 

A  They  were  there  as  part  of  the  whole 

investigation  that  was  out  there  on  the  site. 

Q  What  does  the  icon  to  the  left  of  BE22PAX 

indicate? 

A  The  icon  underneath  the  type? 

Q  Yes. 

A  That  was  a  zip  file  that  contained  the 

videos  inside  of  that  folder  so  if  you  click  on  that  it 
takes  you  to  where  the  video  was;   BE22  was  the  video. 

Q  Were  they  protected? 

A  No,  sir. 

Q  By  password? 

A  Should  have  been  able  to  access  them. 

Q  When  would  this  be  on  the  website? 
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A 


Same  time  the  investigation  was  completed, 


2008  somewhere . 


Q 


Who  had  access  to  it? 


A 


Same  person  that  had  access  to  the  CENTCOM 


library,   the  CENTCOM  home  page. 


Q 


Mr.   Moser,   was  that  file,   the  zip  file, 


protected? 


A 


The  file,    it  is  protected  now.      I  don't 


know.  I  can't  recall  back  then  if  it  had  a  password  on 
it  at  that  time.  We  downloaded  the  whole  investigation 
we  put  on  this  portal  site,  so. 

THE  PROSECUTION:     Your  Honor,  the 
government  moves  to  admit  Prosecution  Exhibit  19  for 
admission  into  evidence. 


THE  DEFENSE:     No  objection,  ma'am. 

THE  COURT:     Exhibit  91  for  identification 


May  I  see  it? 

THE  DEFENSE:  Cross-examination? 

THE  COURT:     Yes,  sir. 

CROSS  EXAMINATION  BY  THE  DEFENSE: 
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Q  Good  afternoon,   Mr.   Moser . 

A  Yes,  sir. 

Q  The  use  of  SharePoint  in  CENTCOM,    that  was 

something  that  was  directed  to  be  used? 

A  Each  division  or  section  could  use  it  as 

they  see  fit.     Some  people  use  it  as  a  collaboration 
tool,    some  use  it  as  storage  site,   as  you  see  fit. 
Back  then  it  wasn ' t  a  mandate  that  you  had  to  use  it . 

Q  You  said,   when  you  talked  to  Captain  Fein, 

you  go  on  the  website  fairly  frequently? 

A  I  do. 

Q  Do  you  ever  go  to  any  other  staff  sections? 

A  Are  you  talking  currently? 

Q  No,    let's  go  back  in  2009,    the  same 

timeframe  that  Captain  Fein  was  talking  about? 
A  Yes,  sir. 

Q  You  went  on  those  other  sections? 

A  I  went  on  others;   yes,  sir. 

Q  Not  to  force  you  to  do  a  class  on  the 

structure  of  the  Central  Command,  but  the  Central 
Command  is  a  very  robust  headquarters,  correct? 
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A  Yes,  sir. 

Q  It  has  all  the  normal  staff  sections  that 
you  would  associate  with  the  headquarters  of  that  size? 

A  Correct . 

Q  Personnel? 

A  Jl  we  called  it . 

Q  J2  with  intelligence? 

A  Correct . 

Q  Plans  J5,    J3  current  operations? 

A  Yes,  sir. 

Q  All  of  those.     And  would  you  have  occasion 
in  this  time  period  to  go  to  those  particular  pages? 

A  Yes,    sir.     A  lot  of  times  if  I  do  legal 


research,    for  example,    I  would  go  on  the  J3  ops,   on  the 
site  I  had  I  could  do  research  on  FRAGOs  or  op  orders 
or  things  like  that .     A  lot  of  information  like  that 
was  out  on  the  other  sites  I  can  get  to . 

Q  And  the  robust  use  of  SharePoint,    the  use 

of  SharePoint  anyway  was  something  that  all  staff 
sections  were  doing,   hanging  information  on  there, 
using  it  for  their  own  use  or  hanging  out  there  for 
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anyone  that  could  get  on  the  site? 

A  They  would  push  stuff  out  there.      Like  I 

said,   each  section  controlled  the  permission  level .  A 
lot  of  stuff  I  wouldn't  have  access  or  know  it  was  out 
there .      I  might  not  see  it .      I  wouldn ' t  know  what  other 
sections  —  stuff  I  couldn't  see  I  wouldn't  know  what's 
out  there . 

Q  Right.     You  wouldn't  know  until  you  get 

into  — 

A  Until  somebody  gave  me  permission  or  told 

me  about  a  site  and  I  could  ask  for  permission  to  get 
to  it . 

Q  But  you  assume  you  had  permission,   that  you 

could  go  on  there  and  conduct  your  legal  research  or 
looking  at  operations  orders  or  FRAGOs  or  weather  or 
whatever? 

A  You  could  —  the  way  SharePoint  works,  you 

lock  down  permission  level.     And  I  do  a  search,  it 
won ' t  pull  up  search  on  the  sites  that  I  don ' t  have 
access  to.     You  won't  know  a  sites  exists  if  you  don't 
have  certain  permission  levels .     You  go  to  the  right 
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side  and  you  might  not.  see  a  folder  where  somebody  else 
that  has  permission  would  have  the  folder  on  that 
particular  site. 

THE  DEFENSE:      Thanks,   Mr.   Moser . 

THE  WITNESS:     Yes,  sir. 

THE  COURT:  Redirect? 

THE  PROSECUTION:     No,    Your  Honor. 

THE  COURT:      Temporary  or  permanent  excusal? 

THE  PROSECUTION :      Temporary . 

THE  COURT:     Mr.   Moser,   you're  temporarily 
excused.     Please  don't  discuss  your  testimony  or 
knowledge  of  the  case  with  anyone  other  than  counsel  or 
the  accused. 

Please  call  your  next  witness . 

THE  PROSECUTION:     United  States  offers  of  a 
stipulation  for  the  record.     Stipulation  of  expected 
testimony  is  going  three  in  a  row,   Your  Honor,  PE73 
prosecution  Exhibit  74  and  Prosecution  Exhibit  75. 

THE  COURT :      Thank  you . 

(Whereupon,   Prosecution  Exhibit  73,  the 
stipulated  testimony  of  James  Fung,   was  read  into  the 
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record. ) 

THE  PROSECUTION:      The  United  States  calls 
Special  Agent  Dave  Shaver . 
Whereupon, 

DAVID  SHAVER, 

called  as  a  witness,   having  been  previously  duly  sworn 
to  tell  the  truth,    the  whole  truth,    and  nothing  but  the 
truth,   was  examined  and  testified  as  follows: 

DIRECT  EXAMINATION  BY  THE  PROSECUTION: 
Q  You  can  have  a  seat  in  the  chair.     You  are 

still  under  oath. 

Did  you  examine  an  image  of  a  computer 
seized  from  an  individual  Jason  Katz? 
A  Yes,    I  did. 

Q  Why  were  you  asked  to  examine  the  computer? 

A  To  determine  the  presence  of  a  file  called 

B  dot  z  ip  . 

Q  Before  you  began  your  examination,   did  you 

ensure  that  the  examination  was  forensically  sound? 

A  Yes,    sir.      I  verified  the  hash  values 

matched  and  I  started  my  examination. 
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Q  And  first,   before  we  get  into  the  B  dot 

zip,   what  kind  of  computer  was  this? 

A  Sir,    there  was  a  Linux  computer. 

Q  What  is  that? 

A  Sir,    that's   just  an  operating  system. 

Q  Did  you  find  the  B  dot  zip  file? 

A  Yes,    sir;    I  did.      There  was  one  user 

account  on  the  computer.      The  user  name  was  Kupo, 
K— U— P— O,   within  that  user  profile,   the  file  b  dot  zip 
was  present . 

Q  Can  you  please  tell  us  about  b  dot  zip? 

A  Yes,  sir. 

Q  Did  this  zip  file  have  any  security 

protections  on  it? 

A  Yes,    sir.      It  was  —  it  had  a  password. 

Q  What  do  you  mean?     If  it  had  a  password, 

how  would  I  open  this  file  essentially? 

A  Sir,    it  was  a  zip  file  so  if  you  double 

click  on  it,    it  would  ask  you  for  the  password. 

Q  Now,    if  I  double  clicked  on  the  zip  file, 

would  I  be  able  to  see  the  contents  of  the  file? 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 

25 

A  You  can  see  the  file  listing,   yes,    sir;  but 

not  actually,   you  couldn't  actually  see  the  movie 
inside . 

Q  So  if  I  tried  to  double  click  on  the  movie 

inside  I  wouldn't  be  able  to  open  it? 
A  Correct . 

Q  And  how  complicated  was  this  password? 

A  Sir,    the  password  was  complicated.      It  had 

both  upper  case,    lower  case,   numbers  and  symbols  within 
the  password. 

Q  And  how  did  you  get  the  password  to  open 

this  file? 

A  The  password  was  provided  to  me  by  another 

CCIU  agent . 

Q  And  where  had  that  password  been  collected 

from? 

A  CENTCOM  itself. 

Q  What  was  inside  the  b  dot  zip  file? 

A  There  was  a  movie  file,    BP AX  number  22  dot 

WMV. 

Q  What  is  dot  WMV? 
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A  It's  a  Windows  movie  file,  sir. 

Q  And  have  you  seen  this  movie  file  before? 

A  I  had,  sir. 

Q  And  when  had  you  seen  this  movie  file? 

A  Sir,    in  examination  of  the  CENTCOM  server, 

SharePoint  Server  itself,    I  noticed  it  there  and  viewed 
it  there  as  well . 

Q  Where  on  the  CENTCOM  server? 

A  There ' s  a  folder  concerning  the  S JA 

investigations  on  a  subf older  called  Farah . 

Q  I'm  retrieving  what's  been  admitted  as 

Prosecution  Exhibit   65 . 

If  I  can  ask  you  to  move  over  to  the  panel 
box  and  if  you  would  just  sit  in  there. 

A  Yes,  sir. 

THE  COURT:      Is  that  Prosecution  Exhibit  65? 
THE  PROSECUTION:  65. 

Q  I'm  handing  you  Prosecution  Exhibit   65.  If 

you  would  just  take  a  couple  moments  to  look  through 
it. 

(Witness  reading.) 
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Q  Do  you  recognize  that  document? 

A  Yes,    sir;    I  do. 

Q  What  is  it? 

A  It ' s  a  file  listing  of  the  contents  of  the 

Farah  investigation  folder. 

Q  What  does  a  file  listing  tell  you  or  show 

you? 

A  The  file  names  and  folder  of  that 

directory . 

Q  Just  using  that  can  you  find  where  the 

B22PAX.wmv,   where  that  movie  file  was  located,  using 
the  file  listing? 

A  Yes,  sir. 

Q  And  where  is  it? 

A  It's  at  the  end,    sir,    it's  in  alphabetical 

listing.     The  folder  is  under  a  folder  called  videos 
and  it ' s  — 

Q  Is  there  a  subf older  under  videos? 

A  No,    it's  Farah  videos  and  then  the  file 

name  is  BE22PAX. 

Q  So  the  WMV  is  within  the  dot  zip? 
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A  Yes,  sir. 

THE  COURT :     Yes . 

THE  DEFENSE:      The  defense  will  stipulate 
the  video  on  the    (INAUDIBLE)    is  the  same  if  that's 
where  prosecution  is  going. 

THE  PROSECUTION :      That ' s  where  we ' re  going . 

THE  COURT:  Okay. 

THE  PROSECUTION:      Just  a  couple  more 

questions . 

BY  THE  PROSECUTION: 


Q  Did  you  watch  the  BE22PAX.wmv? 

A  Yes,  sir. 

Q  What  did  the  movie  depict? 

A  It  depicted  a  aircraft  over  a  battle  space . 

Q  Did  this  particular  movie  file  depict  any 

airstrikes? 

A  No,  sir. 

Q  Did  you  observe  any  explosions  in  this 

movie  file? 

A  No,  sir. 

Q  How  do  you  know? 
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A  I  watched  it . 

Q  You  watched  both  versions? 

A  Yes,  sir. 

Q  Was  there  any  metadata  associated  with  the 

dot  zip  file  on  Mr.   Katz ' s  computer? 
A  Yes,  sir. 

Q  Can  you  explain  what  metadata  is  first 

before  you  answer? 

A  Yes,    sir.     Metadata  is  information  on 

information.      In  this  case  it  would  be,    I  believe 
you're  talking  about  the  file  creation  date. 

Q  Yes,  sir. 

A  The  file  creation  of  this  file  was  15 

December  2009. 

Q  And  what  does  that  mean  to  you? 

A  That  means  someone  copied  the  file  on  this 

computer  on  15  December  2009. 

Q  And  during  your  examination  of  this 

computer,   did  you  observe  any  other  activity  of 
interest? 

A  Yes,    sir.      There  was  a,    the  user  of  this 
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account  was  attempting  to  decrypt  the  file  or  get  the 
password  of  the  zip  file. 

Q  How  do  you  know? 

A  From  a  few  things .      There ' s  a  folder 

called,    it  was  a  history  file  that  captured  the 
commands  are  issued,   the  downloading  of  an  open  source, 
password  cracking  utility  and  several  dictionaries  to 
help  facilitate  the  password  cracking. 

Q  Why  would  the  dictionaries  help  facilitate 

password  cracking? 

A  Dictionary    (INAUDIBLE)    is  a  common 

methodology  for  decrypting  files .      It  would  use  words 
or  generate  common  words  and  use  that  as  a  source  to 
get  the  passwords . 

THE  COURT:  Cross-examination? 

THE  DEFENSE:     One  minute,   Your  Honor? 

THE  COURT :     Yes . 

CROSS-EXAMINATION  BY  THE  DEFENSE: 
Q  Just  a  few  questions  for  you. 

A  Yes,  sir. 

Q  You  testified  on  direct  that  you  compared 
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the  video  on  the  Jason  Katz ' s  computer  to  the  video  on 
the  CENTCOM  server? 

A  Yes,  sir. 

Q  They  were  both  on  the  Katz  computer  and  the 

CENTCOM  server,   both  of  those  files  were  in  the  zip 
folder? 

A  Correct . 

Q  And  the  zip  folders  had  different  hash 

values? 

A  That ' s  correct . 

Q  But  the  video  inside,   those  had  the  same 

hash  value? 

A  Yes,  sir. 

Q  So  it ' s  possible  for  the  zip  folder  to  have 

a  different  hash  value  but  then  the  files  inside  to 
have  the  same  hash  value? 

A  Yes,  sir. 

Q  And  you  testified  that  Jason  Katz  somehow 

placed  that  file  on  his  computer  on  15  December, 
correct? 

A  The  user  account  did,   yes . 
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Q  But  you  don't  know  how  it  got  there? 

A  No,  sir. 

Q  It  could  have  been  a  CD,    it  could  have 

been  —  it  could  have  been  a  CD? 
A  Yes,  sir. 

Q  It  could  have  been  a  download? 

A  Anything  is  possible. 

Q  So  there  are  a  lot  of  different  ways  that 

that  file  could  have  been  placed  on  the  computer? 
A  Yes,  sir. 

Q  Now,   when  you  were  performing  your  forensic 

examination  of  Mr.  Katz's  computer,  you  found  something 
called  a  secure  shell  on  there,  correct? 

A  Correct . 

Q  Could  you  explain  for  the  court  what  a 

secure  shell  is? 

A  That  is  a  secure  communication  method. 

It ' s  an  encrypted  tunnel  between  two  different 
computers .     One  can  issue  commands  from  one  computer  to 
another . 

Q  So  a  secure  shell  would  allow,  could 
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potentially  allow  a  person— to— person  to  communicate 
between  their  system  at  work  and  the  system  at  home  for 
example? 

A  Sure . 

Q  Now,   when  you  were  performing  the  forensics 

on  Mr.   Katz's  computer  you  looked  at  everything, 
correct? 

A  Yes,  sir. 

Q  You  looked  at  e-mails? 

A  I  searched  the  whole  drive;   yes,  sir. 

Q  You  searched  the  whole  drive  and  when  you 

were  doing  your  forensic  examination  of  Mr.  Katz's 
computer,    you  looked  for  things  related  to  my  client, 
correct? 

A  Yes,  sir. 

Q  But  you  didn't  find  anything  related  to  my 

client,  correct? 

A  That ' s  correct . 

Q  There  weren't  e-mails  between  Mr.   Katz  and 

PFC  Manning? 

A  Correct . 
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Q  There  weren't  chats  between  Mr.   Katz  and 

PFC  Manning? 

A  Correct . 

Q  And  in  fact  your  investigation  revealed 

absolutely  no  connection  whatsoever  between  Jason  Katz 
and  my  client? 

A  That  is  correct . 

THE  DEFENSE :     Nothing  further .      Thank  you . 

THE  COURT:  Redirect? 

THE  PROSECUTION:     No,    Your  Honor. 

THE  COURT:     All  right.     Once  again,    you  are 
temporarily  excused.     Please  don't  discuss  your 
testimony  or  knowledge  of  the  case  with  anyone  other 
than  counsel  or  the  accused. 

THE  PROSECUTION:     Your  Honor,    I  have  the 
stipulation  of  the  expected  testimony  of  Mr.   Wyatt  Bora 
dated  10  June  2013. 

THE  COURT:      That's  Prosecution  Exhibit? 

THE  PROSECUTION:     Prosecution  Exhibit  115. 

THE  COURT :      Thank  you . 

(Whereupon,   Prosecution  Exhibit  115,  the 
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stipulated  testimony  of  Wyatt  Bora,   was  read  into  the 
record. ) 

THE  PROSECUTION:      The  stipulation  of 
expected  testimony  of  Mr.   Patrick  Hoeffel  dated  10 
June  2013.     Prosecution  Exhibit  116,  ma'am. 

THE  COURT:  Okay. 

(Whereupon,   Prosecution  Exhibit  116,  the 
stipulated  testimony  of  Patrick  Hoeffel,   was  read  into 
the  record . ) 

MR.   FEIN:      I  have  two  more  stipulations  of 
expected  testimony,    PE113  and  PE78.      113  and  78. 
THE  COURT :      Thank  you . 

(Whereupon,   Prosecution  Exhibit  113,  the 
stipulated  testimony  of  Deborah  van  Alstyne,   was  read 
into  the  record.) 

THE  PROSECUTION:     Ma'am,    the  United  States 
moves  to  admit  what  has  been  marked  as  Prosecution 
Exhibit  40  for  identification.      This  is  Prosecution 
Exhibit  40. 

MR.   HURLEY:     No  objection. 

THE  COURT:     All  right.     Prosecution  Exhibit 
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4  0  for  identification  is  admitted. 

THE  PROSECUTION :  Ma ' am  Prosecution  Exhibit 
7  8  stipulation  of  expected  testimony  Special  Agent  Mark 
Mander  9  June  2013. 

(Whereupon,   Prosecution  Exhibit  78, 
stipulated  testimony  of  Special  Agent  Mark  Mander,  was 
read  into  the  record.) 

THE  PROSECUTION:     Prosecution  Exhibit  92 
for  identification  is  the  SD  card,    item  2  of  DN162— 10. 

Your  Honor,   United  States  moves  to  admit  as 
evidence  Prosecution  Exhibit  92  for  identification  as 
Prosecution  Exhibit   92 . 

THE  DEFENSE:     No  objection. 

THE  COURT:     May  I  see  it,  please. 

THE  PROSECUTION:     Your  Honor,   may  I  have  a 

moment  ? 

Your  Honor,   may  we  actually  mark  this 
during  the  next  recess? 

THE  COURT :     Yes . 

Prosecution  Exhibit  92? 

THE  PROSECUTION:     Yes,  ma'am. 
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We're  ready  to  call  the  next  witness. 

THE  COURT:      Looking  at  the  time,    do  you 
want  to  take  a  brief  recess  right  now? 

THE  PROSECUTION:     Yes,   Your  Honor.  Well, 
ma'am,   we  can  but  we're  going  to  ask  for  another  recess 
after  this  next  recess  to  reset  the  evidence. 

THE  COURT:      Is  this  witness  going  to  be 

very  long . 

THE  PROSECUTION:     No,    this  is  the 
examination  of  the  SD  card. 

Then  Special  Agent  Shaver  is  being  called 
but    (INAUDIBLE)   we  need  a  recess. 

THE  COURT:     And  you  would  like  a  recess  now 

anyway? 

THE  DEFENSE:     Actually,    if  it's   just  the  SD 
card,   once  they  put  the  witness  on  the  stand,   we  would 
stipulate  to  the  SD  card  and  its  contents .     So  if  that 
would  speed  up  the  government's    (INAUDIBLE) . 

THE  PROSECUTION:      The  contents  are 
important,    Your  Honor,    so  are  the  dates  of  the  creation 
of  the  files . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


38 

THE  COURT:      Go  ahead  and  call  your  witness. 

THE  PROSECUTION:     United  States  calls 
Special  Agent  David  Shaver. 

THE  COURT:     Mr.   Coombs,    tell  me  one  more 
time  what  the  defense  is  going  to  stipulate  to? 

MR.   COOMBS:     We  would  stipulate  to  the 
contents  of  the  SD  card.      So  if  Agent  Shaver  is  being 
called  to  say  what  was  on  the  SD  card,   we  would 
stipulate  that  as  accurate. 

THE  COURT:      Go  ahead  and  call  the  witness. 

Mr.    Shaver,   you're  reminded  you're  still 

under  oath . 
Whereupon, 

DAVID  SHAVER, 

called  as  a  witness,   having  been  previously  duly  sworn 
to  tell  the  truth,    the  whole  truth,    and  nothing  but  the 
truth,   was  examined  and  testified  as  follows: 

REDIRECT  EXAMINATION  BY  THE  PROSECUTION: 

Q  Agent  Shaver,    do  you  recall  examining  a  SD 

card  at  (INAUDIBLE)? 

A  Yes . 
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Q  Who  requested  that? 

A  One  of  the  agents  did. 

Q  Did  you  examine  the  actual  SD  card  itself 

or  an  image  of  the  SD  card? 

A  Sir,    I  checked  out  the  evidence  from  the 

evidence  room,   created  a  forensic  image,   verified  the 
forensic  image  and  checked  the  evidence  back  in.  I 
worked  off  the  image  file. 

Q  Agent  Shaver,   what  did  you  find  in  the 

unallocated  space  on  the  SD  card? 

A  I  found  several  pictures,   partial  movies 

and  text  files . 

Q  What  were  the  text  files? 

A  They  were  pertaining  to  the  CIDNE  documents 

and  the  SigActs . 

Q  And  what  was  found  in  the  allocated  space 

on  the  card? 

A  Sir,   there  was  one  file,   yadda  dot  star  dot 

bz2  dot  NC. 

Q  Where  was  this  found  on  the  SD  card? 

A  There  was  a  folder  called  DCIM. 
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Q  What  is  a  DCIM? 

A  Sir,   that's  a  standard  folder  that's 

created  by  digital  cameras . 

Q  What  is  it  used  for? 

A  It  is  for  organization  of  photos . 

Q  I'm  going  to  show  you  what ' s  been  marked  as 


Prosecution  Exhibit  105  for  identification. 
(INAUDIBLE) . 

I  hand  the  witness  what ' s  been  marked  as 
Prosecution  Exhibit  105  for  identification. 

Do  you  recognize  that? 
A  Yes,    sir;    I  do. 

Q  What  is  it? 

A  Sir,    it's  a  screenshot  I  created  of  the 

file  yadda  dot  tar  dot  bz2  dot  NC  and  the  creation 
date . 

Q  How  do  you  create  a  screenshot? 

A  Sir,    this  is  actually  a  screenshot  of 

EnCase  forensic  program. 

MR.   FEIN:     Permission  to  publish,  Your 

Honor? 
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THE  COURT:      Go  ahead.     What  is  that  noise? 
MR.   FEIN:     Ma'am,    it's  the  projector 
turning  on  and  off. 

Q  Agent  Shaver,    can  you  identify  on  the 

screenshot  the  file  you're  referring  to? 
A  It's  the  file  in  the  middle. 

Q  And  just  let's  go  through  the  file  itself. 

What  does  the  MC  on  the  end  of  that  file 

mean? 

A  Sir,   that's,    it's  a  default  standard  file 

naming  for  a  file  which  has  been  encrypted  using  the  M 
crypt  software . 

Q  What  does  M  crypt  stand  for? 

A  That's  an  open  source  utility  to  encrypt 

files . 

Q  And  when  you  say  encrypted,    how  would  you 

open  this  file? 

A  You  needed  a  password. 

Q  And  were  you  able  to  open  this  file? 

A  Yes,    sir;    I  was. 

Q  What  password  did  you  use? 
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A  Sir,    I  used  a  password  PFC  Manning  provided 

to  Mr.   Lamo  in  the  chats. 

Q  And  what  date  was  this  file  created? 

A  January  30th,  2010. 

Q  And  how  do  you  know  that? 

A  Because  that's  what  the  date  is  shown  here, 

sir . 

Q  What  date  are  you  referring  to? 

A  The  file  created  date,  sir. 

Q  And  when  you  opened  this  file,   what  was 

contained  within? 

A  Sir,    there  were  four  files  contained 

therein . 

Q  I'm  handing  Prosecution  Exhibit  105  for 

identification  back  to  the  court  reporter,  and 
retrieving  Prosecution  Exhibit  50  for  identification. 

I ' m  handing  you  what ' s  been  marked  as 
Prosecution  Exhibit  50  for  identification. 
Do  you  recognize  that? 
A  Yes,    sir;    I  do. 

Q  What  is  it? 
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A  It ' s  a  screenshot  I've  created  of  the 

contents  of  the  file.  It  shows  the  file,  the  four 
files  contained  therein  and  the  last  written  date. 

Q  And  how  is  that  created? 

A  Sir,    it's  a  screenshot  of  the  EnCase 

forensic  software. 

Q  Permission  to  publish? 

THE  COURT:      Go  ahead. 

Q  We  don't  need  to  necessarily  go  through, 

well,   actually  let's  briefly  go  through  the  top  file. 
AFG  underscore    (INAUDIBLE)   what  was  contained  in  that? 

A  Sir,    that  was  approximately  91,000  complete 

SigActs  pertaining  to  the  Afghan  theater. 

Q  And  what  date  was  that  file  created? 

A  Sir,   that  was,    like  I  say,   the  file  — 

because  the  file  was  encrypted  and  the  files  were 
zipped  up,   the  actual  creation  date  was  lost,   but  the 
last  written  date  remains . 

Q  What  does  the  last  written  date  tell  you? 

A  That ' s  the  last  time  the  file  was  written 

to  or  updated.     That  date  would  be  January  8th,  2010. 
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Q  Again,    go  down  to  the  next  file.  IRQ 

underscore  events  dot    (INAUDIBLE)   what  was  in  that 
file? 

A  Sir,    approximately  390,000  complete  SigActs 

pertaining  to,    from  CIDNE  database  pertaining  to  the 
Iraq  theater. 

Q  What  date  was  that  last,   that  file  last 

written? 

A  It  was  January  5th,  2010. 

Q  And  finally,    the  file  README . txt ,   what  was 

contained  in  that  file? 

A  Sir,    that  was  kind  —  just  a  text  file 

contained  some  information  about  the  two  CSU  files . 

Q  What  about  that  last  file? 

A  Sir,    that's  a  temporary  file.      It  was 

written  by,  created  by  the  Macintosh  operating  system. 
No  important  information  in  there  except  it  shows  that 
Macintosh  was  used  to  create  it . 

Q  When  was  the  README . txt  file  last  written? 

A  Last  written  January  9th,  2010. 

Q  I'm  handing  Prosecution  Exhibit  50  for 
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identification  to  the  court  reporter. 

THE  COURT:     Before  you  do  that,    I  didn't 
catch  the  number  for  the  first  file. 

THE  WITNESS:  Afghan? 

THE  COURT:     Whatever  the  first  file  was. 
THE  WITNESS:     Approximately  91,000. 
THE  COURT :      Thank  you . 
BY  THE  PROSECUTION: 

Q  I'm  showing  Prosecution  Exhibit  42  for 

identification . 

I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  42  for  identification.  Agent 
Shaver,    do  you    (INAUDIBLE)   what  it  is? 

A  That  is  the  README . txt  file. 

Q  Generally    (INAUDIBLE) ,   what  does  the  text 

file  describe? 

A  It  describes  the  files,    the  CIDNE 

documents .      The  Iraq  and  Afghanistan  significant 
activities,    SigActs . 

THE  PROSECUTION:     Permission  to  publish  the 
report,    Your  Honor? 
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THE  COURT :     Yes . 
Q  Is  that  an  accurate  representation  of  the 

file  you  just  looked  at? 
A  Yes,  sir. 

THE  PROSECUTION:     Your  Honor,  the 
Prosecution  moves  to  admit  Prosecution  Exhibit  42  into 
evidence . 

THE  DEFENSE:     No  objection. 

THE  COURT:     Prosecution  Exhibit  42  is 

admitted. 

THE  PROSECUTION:      Thank  you,   Agent  Shaver. 

THE  COURT:  Cross-examination? 

THE  DEFENSE:       (INAUDIBLE) . 

RECROSS— EXAMINATION  BY  THE  DEFENSE: 
Q  Good  afternoon,   Agent  Shaver? 

A  Good  afternoon,  sir. 

Q  Agent  Shaver,    I  want  to  talk  first  about  — 

you  talked  about  the  contents  of  the  SD  card  and  you 
were  talking  about  the  file  written  or  the  file  created 
date? 

A  Correct . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


47 

Q  And  I  believe  you  said  the  Afghan  war 

diary,    that  was  written  on  8  January? 

A  I  would  have  to  see  that  document  again  to 

be  sure,  but. 

Q  Okay . 

THE  DEFENSE:      Can  I  retrieve  Prosecution 

Exhibit  50? 

THE  COURT:      It's  still  50  for 
identification . 

THE  DEFENSE:      50  for  identification.  Thank 

you ,   ma  '  am . 

Permission  to  publish  this,    Your  Honor. 
THE  COURT:  Yes. 
BY  THE  DEFENSE: 

Q  Agent  Shaver,   we  have  got  the  Afghan  events 

dot  CSC  file  and  last  date  written  8  January? 
A  Correct . 

Q  Would  you  agree  with  me  that  date  could  be 

associated  with  when  that  file  was  placed  on  the  SD 
card? 

A  No.     Maybe.      I'm  sorry,    sir,    I  don't  — 
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(INAUDIBLE)    it  was  contained  within  a  zip  file. 

Q  Okay.      Is  it  possible  that  that,   that  the 

last  written  date  changed  when  the  file  was  put  on  the 
zip,    on  the  SD  card? 

A  Could,   yes,  sir. 

Q  So  it  doesn't  necessarily  mean  that  that's 

the  last  time  the  file  was  added  to  or  changed  the 
substance  of  that  document? 

A  It's  possible;   yes,  sir. 

Q  And  the  same  would  of  course  then  be  true 

for  the  others? 

A  The  others . 

THE  DEFENSE:     Returning  Prosecution  Exhibit 
50  for  identification. 

Q  Now,    those  files  were  in  a  zip  file, 

correct? 

A  Yes,  sir. 

Q  And  that  was,   that  had  a  password? 

A  Yes,  sir. 

Q  And  it  was  encrypted. 

And  you  testified  that  you  received  the 
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password  or  you  got  access  to  the  password  through  the 
chats? 

A  Right . 

Q  Between  PFC  Manning  and  Mr.   Lamo;    is  that 

correct? 

A  Uh— huh.     Yes,  sir. 

Q  Now,    the  password  that  was  discussed  in 

those  chats  was  actually  for  PFC  Manning's  AKO  account, 
wasn't  it? 

A  I  believe  so,  yes. 

Q  So  it  was   just  kind  of  luck  that  that 

password  also  opened  this  file? 

A  It  is  what  it  is,    sir.      It's  the  same 

password. 

Q  Okay.     Fair  enough.      It  wasn't  in  the  chat, 

it  wasn't  identified  as,   hey,   here's  the  password  for 
this  encrypted  file? 

A  Yes,    sir;   you're  correct. 

Q  It  was  identified  as  here's  the  password 

for  my  AKO  account? 

A  Correct . 
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Q  Okay . 

Now,   once  you,   you  use  that  password  to  get 
into  the  encrypted  file  and  you  got  those  CSV  files, 
what  did  you  do  with  those? 

A  I  extracted  them  and  I  provided  them  to  the 

case  agent . 

Q  When  you  extracted  them,   what  did  you  put 

them  in?     What  program  did  you  use? 

A  I  extracted  them  and  gave  them  as  is,  I 

didn ' t ,    you  can  open  with  Excel . 

Q  Okay .     So  you  can  open  those  with  an  Excel 

document  and  you  gave  those  to  the  case  agent . 

I'd  like  to  retrieve  what's  been  marked  as 
Defense  Exhibit  Echo  for  identification. 

And  Agent  Shaver,    I'll  ask  you  to  move  over 
here  to  the  panel  box . 

I ' m  handing  betweens  Exhibit  Echo  for 
identification  to  the  witness. 

Agent  Shaver,   please  look  at  that  document . 
What  is  that? 
A  Sir,    this  is  a  SigAct . 
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Q  How  do  you  know  that? 

A  Sir,    I  created  this.      I  extracted  the 

SigAct  from  the  CIDNE,    one  of  these  files,    I'm  sorry,  I 
forget  the  file  name. 

Q  Was  it  from  the  Iraq  events? 

A  Yes,  sir. 

Q  How  did  you  go  about  creating  that  file? 

A  Sir,    I  copied  —  each  line  of  the  CSV  is  a 

complete  SigAct.      I  highlighted  a  specific  line,  copied 
it .      I  put  it  into  notepad  which  I  removed  all 
formatting.      I  then  recopied  it  from  notepad  into 
Microsoft  Word.     Printed  this  and  initialed  it. 

THE  DEFENSE :      Can  I  have  a  moment ,  Your 

Honor? 

THE  COURT :     Yes . 
(Pause . ) 
BY  THE  DEFENSE: 

Q  Agent  Shaver,   what's  the  date  on  that 

SigAct? 

A  30  December  2009.     Am  I  reading  the  right 

place? 
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THE  DEFENSE:     Permission  to  approach? 
THE  COURT :     Yes . 
Q  Agent  Shaver,   what's  the  date  on  that? 

A  Sorry,    December  24,  2009. 

Q  Okay .     And  without  answering  in  a 

classified  manner,   what's  the  general,   what  sort  of 
incident  does  that  report? 

A  Appears  IEDs  explosion. 

THE  DEFENSE:  I'm  going  to  retrieve  Defense 
Exhibit  Echo  for  identification  and  offer  it  as  Defense 
Exhibit  Echo . 

THE  COURT:     All  right.  Yes? 

THE  PROSECUTION:     No  objection,   Your  Honor. 
THE  COURT:     Okay.      Getting  late  in  the  day. 
I  think  I  will  need  that  recess. 
Defense  Exhibit  Echo  for  identification  is 

admitted. 

THE  DEFENSE:     Agent  Shaver,    thank  you. 
That ' s  all  the  questions  I  have . 

THE  COURT:  Redirect? 

THE  PROSECUTION:     Yes,   Your  Honor. 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 

53 

REDIRECT  EXAMINATION  BY  MR.  MORROW: 
Q  Agent  Shaver,    I'm  going  to  ask  you,  without 

pulling  out  Defense  Exhibit  Echo  again  —  if  you  would 
move  back  to  the  witness  stand,   please  —  when  you  read 
that  SigAct,   was  any  information  redacted? 
A  No. 

Q  So  the  units  were  identified? 

A  Yes . 

MR.   HURLEY:     Objection.  Leading. 

THE  COURT :     Overruled . 
Q  Was  any  information  redacted? 

A  No,  sir. 

Q  Was  any  information  replaced  by  markers? 

A  I  did  not  see  any . 

MR.   MORROW:     No  further  questions. 

MR.   HURLEY:     None,  ma'am. 

THE  COURT:     All  right.      Temporary  excusal? 
MR.   FEIN:     Yes,  ma'am. 

THE  COURT:     Once  again,    you  are  temporarily 
excused.     Same  rules  apply  as  before. 

THE  WITNESS:     Yes,  ma'am. 
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MR.   FEIN:      The  United  States  asks  for  a 

recess . 

THE  COURT:      The  court  is  in  recess  until 

15:35,  3:35. 

(Court  in  recess.) 

THE  COURT :      Court  is  called  to  order . 
Can  you  account  for  the  parties? 
MR.   FEIN:     All  parties  are  in  the  court  at 
last  recess  with  the  exception  of  Captain  von  Elten . 

THE  COURT:      Is  the  government  ready  to 

proceed? 

THE  PROSECUTION:      Government  calls  Special 
Agent  Shaver . 

REDIRECT  EXAMINATION  BY  THE  PROSECUTION: 
Q  I   just  want  to  remind  you  you're  still 

under  oath . 

Agent  Shaver,    I'd  like  to  discuss  your 
examination  of  a  couple  of  SIPRNET  computers .  The 
first,   what  were  the  IP  addresses  of  the  SIPRNET 
computers  you  examined  in  this  case? 

A  I  examined  several  but  primarily  two,  dot 
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22  and  dot  40 . 

Q  When  you  say  dot  22  what  are  you  referring 

to? 

A  The  IP  address,    the  internet  protocol 

address . 

Q  What  was  your  process  for  examining  this 

computer? 

A  The  process  was  to  verify  the  hash  values 

and  make  sure  it  was  an  accurate  image .     And  then  start 
conducting  examination  to  see  what's  there.  Search 
both  the  allocated  and  unallocated  spaces . 

Q  Did  you  verify  the  hash  values? 

A  Yes,    I  did. 

Q  Now,   with  respect  to  the  dot  22  computer, 

what  did  you  look  for  first,   what  were  you  looking  for 
first? 

A  I  was  looking  to  see  what  files  were 

present.     First  off,   was  there  a  Bradley  dot  Manning 
user  profile. 

Q  Did  you  find  one? 

A  Yes . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


56 

Q  What  do  you  mean  by  what  files  were 

present? 

A  I  wanted  to  see  what  files  were  present 

within  the  user  profile.     Again  at  this  time  I  hadn't 
been  given  the  chat  log  so  I  was  looking  at  things 
concerning  the  Department  of  State  and  things  like 
that . 

Q  And  when  you  say  present,    are  you  referring 

to  allocated  files? 

A  Yes,    sir;    I  am. 

Q  And  now,   what  kind  of  web  browser  was  under 

PFC  Manning's  profile? 

A  There  were  two . 

Q  What  were  the  two? 

A  Internet  Explorer  and  Firef ox . 

Q  What  was  the  configuration  of  the  Internet 

Explorer  web  browser? 

A  There  was  a  standard  Army  build  where  the 

user  can  surf  the  web  but  could  not  clear  the  internet 
history . 

Q  And  where  does  a  computer  keep  internet 
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history? 

A  For  Internet  Explorer  it  keeps  it  in  a  user 

profile  called  index  dot  dat  file. 

Q  What  does  that  file  contain? 

A  Times  and  dates,    files  accessed  either 

locally  or  remotely  and  IPs  address. 

Q  You  said  files  accessed.     What  do  you  mean 

by  that?     Describe  how  the  computer  would  log  some 
action  on  the  computer  in  the  —  or  action  by  the  user 
in  the  index  dot  dat  file? 

A  If  it  went  to  a  web  page,   it  would  log  it 

as  a  web  page.      If  he  went  to  CNN.com,    it  would  be 
there.      If  he  double  clicked  on  a  Word  document  that 
would  be  there  as  well . 

Q  You  said  this  computer  had  a  Firefox  web 

browser? 

A  Yes . 

Q  How  that  was  configured  (INAUDIBLE)? 

A  That  was  configured  to  run  in  privacy 

browsing  mode  wherein  no  user  history  would  be 
maintained . 
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Q  And  what  was  the  home  page  of  the  Firefox 

web  browser? 

A  Intelink. 

Q  Now,    you  were  looking  for  the  files  that 

were  present  on  the  computer.     Did  you  find  any  files 
that  seemed  to  be  odd  or  at  least  were  pertinent  to  the 
investigation  as  you  knew  it  at  this  point? 

A  Yes,  sir. 

Q  What  did  you  find? 

A  Within  the  user  profile  Bradley  dot  Manning 

there  was  a  folder  called  blue  and  within  there  there 
was  files  dot  zip.     The  files  dot  zip  contained  over 
10,000  complete  Department  of  State  cables. 

Q  So  let's,   we'll  take  each  of  those  in  turn. 

I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  104  for  identification. 

I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  104  for  identification. 

A  Yes,  sir. 

Q  Agent  Shaver,    do  you  recognize  that? 

A  Yes . 
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Q  What  is  it? 

A  It ' s  a  screen  shot  I  created  of  the  folder 

blue  that  contains  deleted  files  and  file  creation 
dates . 

Q  And  is  the  folder  blue? 

A  Yes . 

Q  How  would  you  create  a  screen  shot? 

A  This  is  a  screen  shot  of  then  case  program 

which  allows  you  to  see  the  allocated  and  unallocated 
deleted  files . 

THE  PROSECUTION:     Permission  to  publish? 
THE  COURT:  Okay. 
BY  THE  PROSECUTION: 

Q  Agent  Shaver,    can  you  point  out  the  files, 

essentially  the  files  that  you  just  talked  about 
earlier?     Let's  start  with  backup  dot  XLSX. 

A  Yes,  sir. 

Q  Generally,   what  was  in  that  file? 

A  Sir,    that  was  a  Excel  spreadsheet  with 

three  tabs.     The  tabs  were  0310-0410,   the  next  tab  0510 
and  the  last  one  was  WJ. 
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Q  And  you  also  mentioned  files  dot  zip? 

A  Correct . 

Q  What  was  in  files  dot  zip? 

A  Files  dot  zip  contained,   actually  it  was  a 

partially  corrupted  zip  file  that  contained  over  10,000 
complete  Department  of  State  cables . 

Q  And  when  you  say  partially  corrupted,  what 

do  you  mean  by  that? 

A  Something  went  wrong  when  this  zip  file  was 

created.      I  don't  know  what,   but  I  can  tell  you  a 
normal  user  when  they  tried  to  view  it,   winzip  would 
give  you  the  error,   this  file  is  corrupted  you  cannot 
view  it .     Using  the  EnCase  forensic  software  it  still 
allowed  me  to  view  the  contents . 

Q  And  —  okay .     What  was  the  format  of 

Department  of  State  cables  in  files  dot  zip? 

A  HTML. 

Q  What  is  HTML? 

A  It ' s  a  web  page . 

Q  I  will  show  you  what ' s  been  marked  as 

Prosecution  Exhibit  101  for  identification. 
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I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  101  for  identification. 
(Witness  reading.) 
A  Yes,  sir. 

Q  Agent  Shaver,    do  you  recognize  that? 

A  Yes,    sir;    I  do. 

Q  What  is  it? 

A  It ' s  the  contents  of  the  backup  dot  XLSX 

file. 

Q  What  is  XLSX? 

A  That  is  Office  Excel  document. 

THE  PROSECUTION:     Permission  to  publish 
with  the  court,    Your  Honor? 

THE  COURT:  Okay. 
BY  THE  PROSECUTION: 

Q  Agent  Shaver,    is  this  the  top  of  the  Excel 

file  or  the  bottom  of  the  Excel  spreadsheet? 

A  It  appears  to  be  the  bottom. 

Q  Let ' s  go  through  the  tabs .     You  said 

there's  a    (INAUDIBLE)    tab.      I  see.      0310  and  0410,  what 
does  that  contain? 
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A  Those  contain  the  Department  of  State 

cables  which  had  been  published  by  the  various 
embassies  throughout  the  world  for  the  March  and 
April  2010  timeframe. 

Q  What  does  the  5010  tab  contain? 

A  Similar  files .      They  were  Department  of 

State  cables  published  by  various  embassies  throughout 
the  world  for  May  2010. 

Q  When  you  said  Department  of  State  cables, 

was  it  the  full  cables? 

A  Yes  —  no,    sir,    these  were,    no,    sir,  they 

were  not . 

Q  What  did  this  spreadsheet  — 

A  Sure,   the  first  left  number  was  a  tracking 

number  created  by  the  user.     The  date  and  time,  again, 
of  the  file  apparently  when  it  was  retrieved.  The 
embassy,   the  embassy's  cable  name  and  the  embassy's 
common  name  and  the  classification  marking. 

Q  I'm  going  to  show  you  what ' s  been  marked  as 

Prosecution  Exhibit  102  for  identification. 

Agent  Shaver,    do  you  recognize  that 
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document  ? 

A  Yes,    sir;    I  do. 

Q  What  is  it? 

A  Again,    this  is  a  same  backup  XLSX  file. 

Q  And  how  is  that  document  created? 

A  This  is  a,    just  a  screen  shot,    from  Excel. 

Q  What's  the  number  on  the  top  left? 

A  The  ID  number,    sir,    is  251288. 

Q  And  I'm  going  to  show  — 

THE  PROSECUTION:     Permission  to  publish, 

Your  Honor? 

THE  COURT:      Go  ahead. 
BY  THE  PROSECUTION: 

Q  What  was  the  significance  in  this 

investigation  to  251288,    the  top  left  number? 

A  The  WikiLeaks  had  published  251,287 

documents . 

THE  PROSECUTION:     Your  Honor,  the 
Prosecution  moves  to  admit  Prosecution  Exhibit  102  into 
evidence  as  Prosecution  Exhibit  102. 

THE  DEFENSE:     No  objection. 
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THE  COURT :     All  right .      Let  me  see  it . 
Prosecution  Exhibit  102  for  identification 

is  admitted. 

BY  THE  PROSECUTION: 

Q  Let's  talk  about  the  Wget  worksheet.  I'm 

retrieving  what ' s  been  marked  as  Prosecution  Exhibit 
100  for  identification. 

I'm  handing  Prosecution  Exhibit  100  for 
identification  to  the  witness . 

(Witness  reading.) 

Q  Do  you  recognize  that,  sir? 

A  Yes,    I  do. 

Q  What  is  this? 

A  It ' s  a  screen  shot  of  the  Wget  tab  within 

the  backup  of  the  dot  XLXS  file. 

THE  PROSECUTION:     Permission  to  publish, 

Your  Honor? 

THE  COURT:      Go  ahead. 
BY  THE  PROSECUTION: 

Q  Agent  Shaver,    can  you  just  describe  how 

someone  would  use  Wget  or  how  this  might  be  used  in 
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conjunction  with  the  program  Wget? 

A  Yes,    sir.      This  spreadsheet,   what  this 

shows  here  is  the  Wget  command  being  operated.  The 
Wget-0  is  the  output  file  is  the  Department  of  State 
name  and  further  there's  the  address  of  the  website  and 
what  to  get . 

Q  What  do  you  refer  to  when  you  said  the  web? 

A  The  MC  state  dot  SD  dot  gov. 

Q  NC  state? 

A  Yes,    sir,   NCD . 

Q  Sorry.     Keep  going.  So? 

A  For  barred  slash  message  forward  slash 

reference  and  there  would  be  the  Department  of  State 
cable  itself. 

Q  Now,    how  would  you  use  Wget,   how  would  you 

use  a  message    (INAUDIBLE)    number  to  download  cables 
from  the  State  Department? 

A  That's  how  they're  stored  by  message  record 

number.     So  that's  how  they  would  be  stored.      If  you 
would  like  to  retrieve  it,   you  would  have  to  request  it 
by  day. 
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So  in  this  case  the  first  top  line  you  can 
see  that  the  file  10  cavara   (phonetic)    1553,   that  cable 
is  being  downloaded. 

Q  Okay.     Now,   where  does  Wget  run  from? 

A  From  the  command  line . 

Q  Does  it  run  from  the  server,   the  NCD  server 

or  from  the  computer? 

A  It ' s  a  local  computer.      (INAUDIBLE)  local 

computer . 

Q  What  other  —  first  I'm  handing  the 

Prosecution  Exhibits  back  to  the  court  reporter. 

What  other  Wget  related  information  did  you 
find  on  this  computer? 

A  Within  Windows  prefetch  files  there  showed 

there  was  prefetch  files  where  I  captured  Wget  being 
run  from  the  Bradley  dot  user  Manning  profile  on 
several  location. 

Q  What  are  prefetch  files? 

A  Sir,    that ' s  a  Microsoft  Windows  feature 

whereas  the  Microsoft  will  cache  parts  of  the 
information  about  a  program  so  the  next  time  you  run 
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it,    it  will  run  faster. 


Q 


Now,    you  said  from  different  locations? 


A 


Yes,  sir. 


Q 


What  do  you  mean  by  that? 


A 


The  prefetch  files,   part  of,   what  it 


captures,    it  also  captures  the  path  of  the  program. 
Within  the  prefetch  file  there  are  several  prefetch 
files  which  are  run  from  various  locations  within  the 
Bradley  dot  Manning  user  profile .      So  the  Wget  was 
copied  to  various  folders  within  and  then  run . 

Q  Why  would  Wget  not  run  from  different 

folders? 

A  To  capture  the  data  faster. 

Q  And  when  did  Wget  appear  in  PFC  Manning ' s 

user  profile  on  the  computer? 

A  It  first  appeared  in  March  2007  or 

March  7th,  2010. 

Q  And  but  was  that,    did  you  find  that  in  the 

user  profile? 

A  No,    sir.      I  found  that  through  the 

prefetch.     The  file  Wget  was  present  in  the  allocated 
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space  in  the  W  dot  Manning  user  profile  before 
May  2010. 

Q  What  does  the  presence  of  Wget  in  the 

prefetch  file  in  early  March  tell  you  when  the  Wget 
program  was  put  on  the  computer  in  format? 

A  It  means  it  was,    it  was  there  prior,    it  was 

obviously  on  the  computer  within  again  the  Bradley  dot 
Manning  user  profile  in  March  2010  and  it  was 
physically  located,    created  in  May  2010  so  that  means 
the  file  was  copied  and  placed  there  again . 

Q  What  other  findings  did  you  make  regarding 

the  Department  of  State  information? 

A  Sir,   within  the  Windows  temp  folder  there 

are  two  files,   both  have  the  CID    (phonetic)  security 
identifier  of  the  user  profile  Bradley  dot  Manning  and 
these  two  files  each  contain  several  hundred  complete 
Department  of  State  cables .      They  were  in  a  CSV  format 
but  however  they  had  been  Base64  encoded. 

Q  Let's  start  first,   what  is  the  Windows  temp 

folder? 

A  That  is  a  default  folder  for  the  Windows 
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operating  system  to  write  temporary  files  to . 

Q  And  you  said  CSV  file,   what  is  a  CSV  file? 

A  Sir,    that's  common  separated  value. 

Q  Why  would  someone  use  a  CSV  file? 

A  That's  to,    the  ease  of  moving  data  around. 

CSV  is  a  standard  format  for  that . 

Q  You  also  mentioned  Base64? 

A  Yes,  sir. 

Q  What  is  Base64? 

A  That's  a  method  of  encoding.     Encoding  is, 

it's  a  way  of  transposing  data  to  make  it  easier  to 
move  it.      It  compacts  it,   but  it  also  makes  it  easier. 

Q  Why  would  someone  convert  HTML  to  Base 6 4 

and  embed  it  in  CSV? 

A  A  CSV  is  a  common  separated  value . 

Department  of  State  cables  are  sentences  so  they  would 
have  commas,   periods,    things  like  that.      So  the  comma 
separated  value  file  only  works  if  you  use  commas  in 
the  right  location.      If  there's  extra  commas, 
everything  gets  spread  out.      It  doesn't  line  up  and 
work  right .     By  encoding  it  with  Base64  you  alleviate 
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that  problem. 

So  it ' s  only  the  commas  that  you  tell  it  to 

be  there . 

Q  And  did  you  search  the  —  this  was,    now  I 

believe  we  have  been  talking  about  allocated  space,  but 
did  you  search  the  unallocated  space  for  the  Department 
of  State  information? 

A  Yes . 

Q  What  did  you  find? 

A  I  found  over  100,000  complete  and  partial 

Department  of  State  cables  in  the  unallocated  space . 

Q  What  do  you  mean  by  complete  and  partial? 

A  134  were  complete,   had  not  been 

overwritten.     Other  ones  had  partially  been 
overwritten,    so  part  of  the  file  existed  but  not  the 
complete  file . 

Q  I  want  to  talk  about  the  restore  points  on 

the  computer.     First,   what  is  a  restore  point? 

A  Sir,    restore  point  is  a  Microsoft  concept 

to  make  sure  that  your  computer  did  not  break . 

Let ' s  say  you  load  a  piece  of  software .  It 
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will  create  a  restore  point  prior  to  installing  the 
software  so  if  there's  a  problem,   you  can  go  back  in 
time  and  your  computer  will  work  again. 

If  you  plug  a  new  hard  drive  in  and  it 
doesn't  work  and  you  activate  the  restore  point  and  go 
back  in  time  and  it  was  like  the  hard  drive  was  never 
actually  installed  so  your  computer  continues  working. 

Q  And  what  does  your  examination  of  the 

restore  points  tell  you  about  the  computer  generally? 

A  It  would  show  things  like,    it  would  show 

file  names .     Files  that  either  did  exist  or  had  existed 
at  one  time  within  the  various  user  profiles . 

Q  Did  the  restore  points  shed  any  light  on 

the  date  that  the  computer  might  have  been  imaged? 

A  Yes,  sir. 

Q  Please  explain. 

A  The  computer  is  approximately  imaged  in 

early  March  2010. 

Q  And  what,    if  a  computer  has  been  imaged  in 

March  2010,   what  does  that  mean  to  you  as  the  forensic 
examiner? 
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A  Since  it  had  been  reimaged,  everything 

really  pertinent,   all  the  allocated  files  prior  to  that 
were  now  unallocated  or  overwritten. 

Q  Agent  Shaver,    I  want  to  talk  about  the 

contents  of  the  Farah  folder  we  discussed  earlier. 

Did  you  find  any  documents  related  that 
were  contained  from  the  Farah  folder? 

A  I  found  some  deleted  jpegs  which  are 

graphic  image  files  and  PDF  files . 

Q  What  about  just  evidence  that  the  files  had 

been  clicked  on  or  something  like  that? 

A  Yes,    sir,   within  the  index  dot  dat  file 

there  are  several  hundred  files  named,  naming 
convention  would  suggest  there  was  a  fraud 
investigation . 

Q  What  was  the  date  of  the  activity  on  the 

index  dot  dat  file? 

A  April  10,  2010. 

Q  Is  the  index  dot  dat  file,    is  it  easy  to 

find  as  a  regular  user  of  the  computer? 

A  No,    sir,   that's  a  hidden  file. 
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Q  At  what  point  does  the  computer  store  the 

index  dot  dat  time? 

A  It ' s  a  database .     So  to  extract  information 

out  you  need  a  stool,   another  program  to  extract  it  to 
make  it  easier  to  read  for  people . 

Q  And  in  this  case,   what  did  you  do  with  the 

index  dot  dat  file? 

A  I  extracted  it  and  put  it  into  Excel  for 

ease  of  review . 

Q  When  you  extracted  and  put  it  into  Excel 

did  you  alter  the  information  in  any  way? 

A  No,    sir,    I  did  not. 

Q  If  you  had  printed  the  entire  index  dot  dat 

file  in  this  Excel  version,    how  long,   how  many  printed 
pages  would  that  be? 

A  A  lot,    sir.      Several  hundred  probably. 

Q  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  128  for  identification. 

I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  128  for  identification. 

Just  take  a  few  moments  to  look  at  it . 
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(Witness  reading.) 
Q  Do  you  recognize  that  document? 

A  Yes ,    I  do . 

Q  What  is  it? 

A  Sir,    that  is  an  Excel  spreadsheet  I 

created.      It's  an  extract  summary  of  the  index  dot  dat 
pertaining  to  April  10th. 

Q  And  how  did  you  create  this  summary  of  the 

index  dot  dat? 

A  Sir,    I  filtered  on,    filtered  on  April  2010. 

THE  PROSECUTION:     And  permission  to  publish 
with  the  court,    Your  Honor? 

THE  COURT:      Go  ahead. 
BY  THE  PROSECUTION: 

Q  I'm  going  to  publish  just  the  last  page  of 

the  Exhibit.     But  Agent  Shaver,    I'm  just  publishing  the 
last  page,   but  I'd  like  you  to  just  describe  what  the 
activity  you  observed  in  the  index  dot  dat  file  on  this 
date  is .     What  are  you  observing? 

A  Sir,    left  to  right  we  have  obviously  a  line 

item  number,    the  next  one  is  a  date  in  military  time, 
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GMT3  hours.      It's,    it  shows  you  visited.      The  Bradley 
dot  Manning  user  profile,   visit  a  file  called,  located 
in  the  documents  and  settings,    Bradley  dot  Manning  my 
documents  downloads  folder  tab  underscore  D  tab  space  D 
appendix  — 

Q  Well  let ' s  make  this  shorter . 

Let ' s  look  at  the  last  line  of  this  line 

247  . 

A  Yes,  sir. 

Q  Of  the  line  that  ends  in  Farah  dot  set? 

A  Correct . 

Q  Describe  the  activity  observed  from  that 

line  and  up  leading  to  again  Farah  dot  set . 

A  Correct.      Sir,    apparently  some  files  were, 

it  shows  three  files.      Three  PDF  files  were  visited  at 
1659  hours  and  at  1705  a  file  called  Farah  dot  zip  was 
visited  by  the  Bradley  dot  Manning  user  profile  is  in 
the  downloads  folder  and  so  are  the  other  documents . 

Q  Now,    if  you  look  at  the  entire  Exhibit  128 

for  identification  in  conjunction,    I  mean,    if  you  flip 
through  every  page,   what  does  the  activity  show  you, 
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what  does  the  index  dot  dat  capture? 

A  It ' s  capturing  a  user  account  Bradley  dot 

Manning  first  visiting  a  website  non-REL  dot  CENTCOM 
dot  smil  dot  mil .  Then  shortly  there  later  a  lot  of 
files  locally  on  the  computer. 

Q  How  can  you  tell  that  they ' re  locally  on 

the  computer? 

A  Again,    sir,   the  file,    if  it's  local  it 

would  be  user  name  at  file.      If  it  was  a  web  page,  it 
would  be  user  name  at  http,   that  means  4:05. 

THE  PROSECUTION:     Your  Honor,    at  this  time 
Prosection  is  moving  to  admit  Prosecution  Exhibit  128 
into  evidence . 

THE  DEFENSE:     No  objection,    Your  Honor. 

THE  COURT:     Prosecution  Exhibit  128  is 

admitted. 

BY  THE  PROSECUTION: 

Q  Now,    if  I  could,    I'd  like  to  retrieve 

Prosecution  Exhibit  128. 

Agent  Shaver,    in  this  time  period  10 
April  2010,    if  you  would  just  look,   we  talked  about  a 
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BE22PAX.zip  earlier.     Do  you  remember  that? 
A  Yes,  sir. 

Q  Do  you  see  any  videos  locally  on  the 

computer  at  this  time? 
A  No,  sir. 

Q  Did  you  look  for  BE22PAX.zip? 

A  I  have  previously.     Yes,    sir.      It  is  not 

there . 

Q  Now,   Agent  Shaver,    I  want  to  transition 

from  logs  collected  from  the  CENTCOM  SharePoint  server. 
Did  you  examine  logs  from  that  server? 

A  Yes,    sir,    I  did. 

Q  When  was  the  first  date  captured  by  the 

CENTCOM  SharePoint  SharePoint  logs? 
A  1  December  2009. 

Q  So  you  didn't  have  anything  prior  to  1 

December  2009? 

A  No,  sir. 

Q  Now,   what  type  of  information  was  captured 

in  the  CENTCOM  SharePoint  SharePoint  log? 

A  These  are  the  Microsoft  SharePoint  logs . 
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They ' re  standard  Windows  logs .     They  capture  a  local  IP 
address  making  a  request,   date  and  time,   and  the 
activity,    the  file  requested. 

Q  Now,   when  you  say  a  local  IP  address,  what 

do  you  mean? 

A  Sir,   these  logs  have  been  configured  to 

capture  local  IP  —    (INAUDIBLE)    —  so  if  a  dot  22  or 
dot  40  connected  that  would  not  show  up  to  the 
computer .      It  would  be  a  local  IP  to  the  network . 

Q  When  you  reviewed  the  CENTCOM  SharePoint 

logs,   did  you  observe  any  activity  on  10  April  2010  in 
those  logs? 

A  I  did,  sir. 

Q  What  did  you  observe  in  the  logs? 

A  There  was  a  large  download  of  files . 

THE  PROSECUTION:      I'm  retrieving  what's 
been  marked  as  Prosecution  Exhibit  129  for 
identification . 

I'm  handing  the  witness  what's  been  marked 
as  Prosecution  Exhibit  12  9  for  identification  into 
evidence . 
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BY  THE  PROSECUTION: 

Q  Take  a  few  moments . 

(Witness  reading.) 
Q  Do  you  recognize  that  document? 

A  Yes,  sir. 

Q  What  is  it? 

A  This  is  a  Excel  spreadsheet  I  created  from 

the  CENTCOM  logs  pertaining  to  the  downloads  on  10 
April  2010. 

Q  And  approximately  how  many  lines  of 

activity  are  in  this  document? 

A  Sir,    there  are  334  lines . 

THE  PROSECUTION:      I'm  retrieving  the 
exhibit  from  the  witness . 

Your  Honor,   permission  to  publish? 
THE  COURT:      Go  ahead. 
BY  THE  PROSECUTION: 

Q  Agent  Shaver,    I'm  just  showing  the  last 

page  of  the  exhibit .     Can  you  describe  the  activity 
from  left  to  right? 

A  From  left  to  right,   the  number  on  the  left 
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is  the  line  item  number,    the  date  and  time.      The  server 
IP.     And  the  action,   the  action,   the  download  files 
downloaded . 

Q  You  reviewed  all  the  activity  in  the 

CENTCOM  SharePoint  logs  on  10  April;    is  that  correct? 
A  Yes,  sir. 

Q  I'll  hand  you  back  Prosecution  Exhibit  129 

for  identification. 

If  you  would,    just  please  review  or  if  you 
recall  from  memory,   were  any  videos  downloaded  from  the 
CENTCOM  Sharepoint  Server  at  this  time? 

A  No,    sir,   not  at  this  point. 

Q  How  do  you  know  that? 

A  Sir,    I  searched  for  them. 

Q  What  were  you  using  to  search? 

A  The  BE22.zip,    they  were  stored  on  the  file 

as  a  zip  file  not  as  a  movie  zip. 

THE  PROSECUTION:  Your  Honor,  at  this  time 
prosecution  moves  to  admit  Prosecution  Exhibit  129  for 
identification  into  evidence. 

THE  DEFENSE:     No  objection,  ma'am. 
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THE  COURT:     Prosecution  Exhibit  129  for 
identification  is  admitted. 
BY  THE  PROSECUTION: 


Q  Agent  Shaver,    you  said  earlier  that  you 

recovered  or  found  numerous  J  pegs  in  the  unallocated 
space? 

A  Yes . 

Q  What  is  that? 

A  It ' s  a  graphic  image  file,  picture. 

Q  Do  you  have  to  use  any  special  tool  to  find 

a  J  peg? 

A  Yes,  sir. 

Q  What  do  you  use? 

A  We  use  EnCase  to  search  for  these  things . 

Q  When  you  were  searching  the  unallocated 

space,   did  you  find  any  video  files  in  the  unallocated 
space? 

A  No. 

Q  Did  you  find  any  video  files  in  the 

allocated  space? 

A  Yes,  sir. 
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Q  What  did  you  find? 

A  I  found  several  movies,    two  of  which  were 

dealing  with  the  collateral  murder . 

Q  Did  you  find  any  of  the  videos  that  were 

located  on  the  CENTCOM  Sharepoint  Server? 

A  No,    sir,    I  did  not. 

Q  Did  you  find  any  of  the  videos  located  on 

the  CENTCOM  Sharepoint  Server  in  the  unallocated  space? 
A  No,    sir;    I  did  not. 

Q  Agent  Shaver,    I'd  like  to  transition  to  the 

other  SIPRNET  computer.     What  was  the  IP  address  on 
that  computer? 

A  Dot  40,  sir. 

Q  What  was  your  process  for  the  examination 

of  this  computer? 

A  Sir,    I  verified  the  hash  values  matched  and 

I  conducted  my  examination  to  answer  the  questions . 

Q  Were  you  working  off  an  image? 

A  Yes,    sir,    I  was  working  off  an  image. 

Q  What  was  the  configuration  of  the  computer? 

A  Sir,    it  was  a  Windows  computer.      It  was  a 
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United  States  Army  computer .      It  was  on  a  domain . 
There  was  a  Bradley  dot  Manning  user  profile  present . 


Q  And  did  this  computer  have  CD  burning 

tools? 

A  Yes,    sir;    it  did. 

Q  I  didn't  ask  that  question  before,   but  did 

the  dot  22  computer  have  CD  burning  tools? 
A  Yes,  sir. 

Q  What  was  the  CD  burning  tool? 

A  Roxio . 

Q  What  is  Roxio? 

A  Sir,    that  is  a  CD  burning  utility,    just  a 

program  to  burn  CDs . 

Q  What  happens  when  you  burn  a  disk  using 

Roxio?     How  does  the  Roxio  program  name  a  disk? 

A  Sir,   by  default  it  names  it  by  a  date  time 

group.  So  by  default  it's  two-digit  year,  two-digit 
month  and  day,  underscore,  two-digit  hour,  two-digit 
minute . 

Q  And  that ' s  the  default  setting? 

A  Yes,  sir. 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


84 

Q  Now,    how  do  you  know  that  that ' s  the 

default  setting  for  the  way  a  Roxio  names  a  disk? 

A  On  these  computers,    sir,    I  converted  dot  22 

into  a  virtual  machine  and  then  I  logged  in  and  then  I 
burned  a  disk  and  then  I  examined  the  naming  structure 
of  the  disk. 

Q  And  again,    just  this  was  from  a  long  time 

ago,   but  what  is  a  virtual  machine? 

A  Sir,    a  virtual  machine  is   just  another 

computer  running  virtually  within  a  host  computer .  So 
if  I'm  running  a  windows  computer  as  a  host,  I  can  run 
a  Linux  or  Macintosh  computer  as  a  guest . 

Q  So  you  burned  a  CD  using  Roxio  through  a 

virtual  machine? 

A  Yes,  sir. 

Q  And  on  the  dot  40  computer,   what  were  you 

looking  for? 

A  Sir,    I  was  looking  for  any  of  the  similar 

items  I  found  on  the  dot  22 .     Were  there  any  Department 
of  State  cables  and  things,   documents  along  those 
lines . 
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Q  And  what  did  you  find? 

A  Sir,   within  the  unallocated  space  I  found  a 

CSV  file  that  contained  over  100,000  complete 
Department  of  State  cables  in  Base64  format . 

Q  And  you  said  this  was  in  the  unallocated 

site? 

A  Yes,  sir. 

Q  And  what  does  Base 64  look  like  to  the  human 

eye? 

A  Gibberish.     A  through  F,    (INAUDIBLE)  so. 

Q  And  these  are  full  cables? 

A  Yes . 

Q  Now,   by  just  looking  at  the  Base64,  were 

you  able  to  tell  what  the  original  form  of  the  file 
was? 

A  No,    sir.      I  could,    I  was  able  to  decode 

them  from  Base64  back  to  record  text  and  view  the 
contents,   but  the  original  source  at  this  point  I  could 
not  tell . 

Q  And  how  would  someone  convert  let ' s  say 

we're  talking  about  a  web  page  HTML,    how  would  someone 
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convert  a  web  page  to  Base64? 

A  Because  of  the  sheer  volume  of  them  all,  I 

believe  a  script  was  used.     A  script  would  be  an 
automated  step  program,    small  program. 

Q  Did  you  find  a  script  on  this  computer,  on 

the  dot  20  computer  that  would  convert  HTML  to  a 
Base64? 

A  No,    sir,    I  did  not. 

Q  Based  on  your  examination  of  both 

computers,   the  dot  22  and  dot  40  did  one  appear  to  be 
used  more  often  by  PFC  Manning? 

A  Yes,    sir.      The  dot  22  appeared  to  have  more 

activity . 

THE  PROSECUTION:     One  moment,    Your  Honor. 

No  further  questions,    Your  Honor. 

THE  COURT:  Cross-examination? 

CROSS-EXAMINATION  BY  MR.  HURLEY: 
Q  Agent  Shaver,    good  afternoon  again. 

A  Good  afternoon,  sir. 

Q  Agent  Shaver,    I'd  like  to  talk  first  about 

Wget .     You  spoke  about  Wget  on  direct  examination? 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


87 


A  Yes,  sir. 

Q  Let ' s  talk  about  it  some  more . 

A  Sure . 

Q  Now,    you  would  agree  with  me  that  Wget  does 

not  give  a  user  access  to  information  that  they 
otherwise  wouldn't  have  access  to,  correct? 

A  Correct . 

Q  So  if  a  user  ever  uses  Wget  on  the,    this  CD 

database,    for  example,   using  Wget  isn't  going  to  allow 
that  user  to  grab  something  they  normally  wouldn ' t  be 
able  to  see? 

A  You  are  correct . 

Q  And  it  wouldn't,   Wget  wouldn't  allow  the 

user  to  circumvent  any  sort  of  restrictions  that  the 
NCD  may  place  on  the  user? 

A  Correct . 

Q  So  you  would  agree  with  me  that  Wget 

doesn't  give  a  user  any  more  access  than  they  would 
have  normally? 

A  Correct . 

Q  Now,    you  spoke  about  your  examination  on 
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the  22  machine  and  the  40  machine  and  you  did  a 
complete  scrub  of  those  machines,  correct? 
A  No,  sir. 

Q  You  spoke  about  some  of  the  machines  you 

were  looking  for.     You  were  also  looking  for  what's 
known  as  the  WikiLeaks  most  wanted  list,  correct? 

A  Yes,  sir. 

Q  Something  that  when  you  were  going  through 

both  the  22  and  the  40  machine,   that's  something  you 
were  looking  for? 

A  Yes,  sir. 

Q  And  let ' s  talk  about  the  22  machine  first . 

As  you  went  over  that  bite  by  bite  and  bit  by  bit  you 
never  found  any  evidence  that  PFC  Manning  had  seen 
that,  correct? 

A  Sir,    I  apologize,    I  don't  remember  exactly 

what  was  on  the  entire  list .     Do  you  have  that  — 

Q  I  guess  let  me  clarify,    I'm  sorry. 

The  actual  list  itself? 

A  Right.     Oh,   no,    sir;    I  did  not  see  the 

list . 
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Q  So  there  was  no  evidence  that  on  the  22 

machine  a  user  had  viewed  that  list? 
A  Correct . 

Q  No  evidence  that  a  user  ever  had  saved  that 

list? 

A  No,  sir. 

Q  Or  printed  it? 

A  Yes,  sir. 

Q  Or  done  anything  with  it? 

A  Correct . 

Q  And  the  same  would  be  true  for  the  4  0 

machine  as  well,  correct? 
A  Yes,  sir. 

Q  And  the  same  would  be  true,   we  have  heard 

testimony  about  a  number  of  2008  from  WikiLeaks,  you 
would  agree  there's  no  forensic  evidence  that  on  the  22 
machine  that  a  user  of  that  machine  saw  any  tweets  from 
WikiLeaks? 

A  There  should  not  have  been  since  it ' s 

SIPRNET  and  all  — 

Q  Likewise,    the  4  0  machine? 
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A  Correct . 

Q  No  evidence  of  viewing  any  tweets? 

A  Correct,  sir. 

Q  I  want  to  talk  about  the  Farah  issue  you 

testified  about  at  length  on  direct . 

You  mentioned  that  you  saw  some  references 
to  the  Farah  video  in  index  dot  dat  file,  correct? 

A  No,  sir. 

Q  What  did  you  say  about  the  index  dot  dat 

registry  in  Farah? 

A  The  Farah  folder. 

Q  Okay . 

A  I  did  not  see  anything  pertaining  to  the 

BE22PAX.zip  files. 

Q  Okay .      In  the  index  dot  dat  there  was 

evidence  that  the  user  of  the  22  machine  had  viewed 
things  related  to  Farah? 

A  Yes,  sir. 

Q  Correct .     Okay . 

And  have  you  ever  viewed  jpegs? 

A  Yes,  sir. 
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Q  PDFs? 

A  Yes,  sir. 

Q  PowerPoint s? 

A  Yes,  sir. 

Q  But  there  were  no  files  you  would  associate 

with  videos? 

A  Correct . 

Q  That  was  on  10  April? 

A  Yes,  sir. 

Q  And  there  was  no  other  evidence  on  the  22 

machine  of  viewing  things  or  using  things  related  to 
Farah,  correct? 

A  Correct . 

Q  So  only  on  10  April,  right? 

A  Yes,  sir. 

Q  And  — 

A  Sorry,    sir,   but  there's  — 

Q  Okay,    in  the  Farah  folder? 

A  Correct . 

Q  Okay . 

Now,    you  also  talked  about  CENTCOM  server 
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logs  and  a  number  of  downloads  and  those  downloads  are 
on  10  April  as  well,  correct? 
A  Yes,  sir. 

Q  And  those  again  were  PDFs? 

A  Yes,  sir. 

Q  Jpegs  ? 

A  Yes . 

Q  PowerPoint s? 

A  Yes,  sir. 

Q  Not  videos? 

A  Correct . 

Q  Now,   when  you  looked  at  the  CENTCOM  logs, 

you  also  looked  at  —  you  had  the  ability  to  look  and 
see  how  many  times  those  zip  files,   those  video  zip 
files  had  been  viewed,  correct? 

A  Correct . 

Q  There  were  three  zip  files  on  the  CENTCOM 

server? 

A  Right . 

Q  One  of  them  was  BE22PAX.zip;    is  that  right? 

A  Yes,  sir. 
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Q  One  of  them  was  BE22STD1 . zip? 

A  Sir  — 

Q  Does  that  sound  familiar? 

A  It  does  sound  familiar. 

Q  And  BE22  strike  2  dot  zip? 

A  That  sounds  right . 

Q  Agent  Shaver,   when  you  were  doing  your 

examination,   were  you  able  to  determine  how  large  those 
files  were? 

A  As  I  recall,    sir,    I'm  sorry  I  don't  know 

exact  numbers ,   but  about  32  megs  apiece . 

Q  So  each  individual  file  was  around  30  megs? 

A  Correct . 

Q  Cumulatively  around  90  megs? 

THE  COURT:     What  is  a  meg? 
Q  Would  you  please  — 

A  It ' s  a  file  size,  megabyte. 

THE  COURT:  Okay. 
Q  Thank  you,   Agent  Shaver. 

Now,    you  found  two  instances,    if  you  could, 
again,    just  remind  us  how  sort  of  the  timeframe  for 
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those  CENTCOM  server  logs .     When  did  those  — 
A  1  December . 

Q  1  December  and? 

A  I  believe  they  ended  in  July  2010. 

Q  So  from  1  December  to  July  2010  you  agree 

with  me  when  you  reviewed  those  logs  there  were  only 
two  instances  of  those  files,   those  zip  files  being 
viewed? 

A  Yes,  sir. 

Q  Okay.     One  of  those  was  on  28  January  2010? 

A  Yes,  sir. 

Q  And  one  of  them  was  on  23  February,  2010? 

A  Correct . 

Q  And  you  have  the  ability  through  those  logs 

to  determine  the  IP  address  of  the  person  requesting  or 
the  computer  requesting,  correct? 

A  No,  sir. 

Q  No .     Okay . 

So  you  weren ' t  able  to  determine  who  or 
what  computer  actually  viewed  those? 

A  Correct . 
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Q  Now,    I  want  to  talk,    again,    about  or 

continue  talking  about  I  guess  we'll  transition  back  to 
the  22  machine. 

A  Okay . 

Q  And  I  want  to  talk  to  you  about  the 

unallocated  space  there.  Or  maybe  not  dealing  with 
unallocated  space.  We'll  talk  about  the  22  machine 
generally . 

You  would  agree  with  me  that  there  was  a 
file  path  that  you  could  see  on  the  22  machine  that 
was,   that  showed  the  user  of  the  22  machine  accessing 
the  T— drive .     There  were  instances  where  you  could 
see  — 

A  Yes,  sir. 

Q  —  that  user  accessing  the  T-drive .  And 

you  found  an  instance  where  there  was  a  file  path  T 
colon  forward  slash  BDE,   brigade,    forward  slash  special 
staff,    forward  slash    (INAUDIBLE) ,    forward  slash  TACP, 
forward  slash  training,    complete  by  20  December  2009? 

A  Correct . 

Q  And  you  and  —  okay. 
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So  that  was  on,   that  file  path  you  found 
the  22  machine  accessing  that  on  17  April,  correct? 
A  That  sounds  right,  sir. 

Q  Okay.     And  inside  that  folder  you  would 

agree  with  me  there  was  a  file  called  TGTl  dot  WMV? 
A  Correct . 

Q  Could  you  explain  for  the  court  what  WMV 

file  is  generally? 

A  Generally  a  movie  file. 

Q  Could  you  tell  if  that  particular  file  GTTl 

was  a  movie  file? 

A  Just  based  off  the  name. 

Q  And  the  extension? 

A  It  appear  to  be  based  off  of  the  extension. 

Q  Were  you  actually  able  to  view  that  file? 

A  No,  sir. 

Q  But  based  on  the  extension,    you  would 

associate  that  with  some  sort  of  video? 
A  Correct . 

Q  Okay.     Now,   you  would  agree  with  me  that 

the  forensic  of  the  22  machine  show  that  TGTl  dot  WMV 
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file  in  two  locations  on  the  22  machine? 
A  Correct . 

Q  One  of  those  locations  was  in  the  documents 

and  settings  on  C  drive,    documents  and  settings, 
Bradley  dot  Manning,   my  documents  and  then  forward 
slash  Farah,    forward  slash  Farah? 

A  Correct . 

Q  And  that  was  the  same  file,  TGTl.wmv? 

A  Appears  to  be,  yes. 

Q  Then  the  other  location  where  you  found 

that  file  was  in,   again  the  C  drive  documents  and 
settings  again  Bradley  dot  Manning  my  documents  forward 
slash  yadda,    forward  slash  Farah? 

A  Correct . 

Q  Again,    that  was  TGTl.wmv? 

A  Yes,  sir. 

Q  A  file  normally  associated  with  a  video? 

A  Correct . 

Q  You  agree  with  me  that  the  22  machine,  it 

would  appear  took  this  file  off  of  the  T— drive,  the 
shared  drive  of  the  user  would  have  had  access  to  and 
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moved  it  to  two  folders  on  that  user ' s  computer  that 
were  called  Farah? 

A  Appears  so . 

Q  I  want  to  go  back  to  the  actual  file  path. 

You  would  agree  with  me  that  on  the  T— drive,    that  long 
file  path  that  we  have  here  brigade  special  staff  et 
cetera,   the  last  portion  of  that  is  forward  slash 
Farah? 

A  Correct . 

Q  So  the  22  machine,   we  could  even  say  the 

user  Bradley  dot  Manning,   accessed  the  shared  drive, 
accessed  the  shared  drive  with,   called  Farah,   at  least 
in  part,   there  was  a  movie  file  in  there,   would  you 
agree  with  that? 

A  Yes . 

Q  Bradley  dot  Manning  users  account,  then 

took  that  file  and  placed  it  on  the  machine,  the  22 
machine  in  two  locations? 

A  Yes,  sir. 

Q  And  both  of  those  locations  had  Farah  in 

the  title? 
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A  Correct . 

Q  Now,    you  also  found  reference  to  this 

particular  file,    TGTl  in  the  dot  22  registry,  correct? 
A  Correct . 

Q  Could  you  explain  for  the  court  what  it 

means  when  you  find  something  in  the  registry? 

THE  COURT:     What  was  it  found  in  the 

registry? 

THE  DEFENSE:      TGTl  do  the  WMV. 
A  Which  registry  style,    the  user? 

Q  Yes. 

A  Each  user  account  has  a  file  called  NT  user 

dot  dat .      If  you  open  the  documents,   there's  a  lot  of 
information  within  the  user  dot  dat .      It  maintains 
information  such  as  the  last  10  Word  documents  you 
opened.     One  of  the  files  there  was  the  TGTl  appeared 
to  be  accessed  as  well . 

Q  So  the  appearance  of  the  TGTl.wmv  file  in 

the  registry  would  suggest  that  it  was  played? 

A  Reviewed . 

Q  Were  you  able  to  tell  what  application  was 
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used  to  view  that? 

A  I  believe  it  was  — 

Q  Was  it  Windows  Media  Player? 

A  Yes,    sir.  Sorry. 

Q  Could  you  explain  for  the  court  what  one 

generally  uses  Windows  Media  Player  for? 

A  Playing  videos  or  audio. 

Q  Okay .     So  we  have  the  user  Bradley  dot 

Manning  playing  the  TGTl.wmv  file  in  an  application 
that's  typically  used  to  view  videos? 

A  Right . 

Q  That  was  on  17  April  2010? 

A  Yes,    I  don't  recall  the  date.      I'm  sorry. 

That  sounds  reasonable . 

THE  DEFENSE:     Your  Honor,    I'm  going  to 
retrieve  what ' s  been  marked  as  Defense  Exhibit  Gulf  I 
believe  for  identification. 
BY  MR.  HURLEY: 

Q  Agent,   would  you  please  head  over  to  the 

panel  box.      This  actually  is  Defense  Exhibit  Gulf  for 
ID. 
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I'm  handing  the  Exhibit,  to  the  witness. 
Agent  Shaver,    do  you  recognize  that 

document  ? 

(Witness  reading.) 
A  Yes,    sir;    I  do. 

Q  What  is  it? 

A  Sir,   this  is  a  Excel  spreadsheet  I  created 

from  the  Intelink  logs  —  how  far  can  I  go? 

I'm  waiting  for  you  to  tell  me  where  to  go 

on  this . 

Q  You  can  say  more . 

A  Based  off  the  key  words  Farah  and  CENTCOM. 

Q  How  do  you  know  that  that ' s  what  that 

document  is? 

A  I  created  it,  sir. 

Q  How  did  you  go  about  creating  it? 

A  Sir,    I  filtered,    again  it  was  an  Excel 

spreadsheet .     So  I  filtered  on  the  key  words  Farah  and 
CENTCOM . 

Q  So  these  are  the  Intelink  logs .     We  dealt 

with  these  a  little  bit  yesterday  and  now  we  have  got, 
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again,   the  Intelink  logs  are  like  Google  searches, 
correct? 

A  Correct . 

Q  So  what  you've  done  here  is  you've  taken 

the  Intelink  logs  and  these  are  the  full  logs,  right? 
A  Yes,  sir. 

Q  Not   just  the  queries  but  the  full  logs? 

A  Yes,  sir. 

Q  And  you've  taken  those  and  you've  filtered 

them  to  grab  any  actions  that  deal  with  Farah  and 
CENTCOM? 

A  Okay . 

Q  Now,    looking  at  that,   would  you  agree  with 

me  that  at  no  point  did  the  22  or  the  dot  40  user  view 
any  videos  on  the  CENTCOM  server  that  dealt  with  Farah . 
Take  a  moment  to  look  through  that . 

A  Repeat  your  question . 

Q  I  will .     Would  you  agree  with  me  that 

there's  no  evidence  that  the  dot  22  or  dot  4  machine  or 
the  user  Bradley  dot  Manning,   viewed  anything,  any 
videos  that  were  associated  with  Farah? 
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A  Correct . 

Q  What  was  the  date  range  in  those  Intelink 

logs? 

A  One  moment,    sir.     Appears  to  be  22 

March  2010. 

Q  And  the  Intelink  logs  generally  speaking 

would  include  what,   what  range  of  dates? 
A  November  2009  to  May  2010. 

THE  DEFENSE :     Retrieving  that  back  and  we 
would  offer  this  as  evidence? 

THE  COURT :      Can  I  ask  you  to  repeat  your 
answer.     What's  the  22  March  2010?     What  was  the 
question  and  answer? 

THE  DEFENSE:      The  question  was   just  what 
dates  are  encompassed  in  this  document. 

THE  COURT :      Thank  you . 

THE  PROSECUTION:  No  objection,  Your  Honor. 
THE  COURT:     Defense  Exhibit  Gulf  is 

admitted. 

BY  MR.  HURLEY: 

Q  Agent  Shaver,    one  more  time,   the  Intelink 
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logs,   generally  speaking  the  entire  span  was  from 
November  of  2009  to  May  of  2010,  correct? 
A  Correct . 

Q  So  when  you  looked  at,   the  only  activity 

that  was  captured  that  dealt  with  Farah  and  CENTCOM 
would  have  been  on  22  March,  correct? 

A  Correct . 

Q  Now,   Agent  Shaver,    you  talked  on  direct 

about  various  ways  in  which  the  Farah  evidence  made  its 
way  onto  PFC  Manning's,  the  SIPRNET  machines  associated 
with  him,  correct? 

A  Correct . 

Q  You  talked  about,   we  talked  about  the  Intel 

Link  logs .     We  have  also  seen  data  from  the  CENTCOM 
server,  correct? 

A  Correct . 

Q  Did  you  look  at  any  other  logs  in  order  to 

determine  whether  any  data  was  transferred  from  CENTCOM 
to  the  22  or  the  40  machines? 

A  Yes,    I  did. 

Q  What  did  you  look  at? 
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A  Other  logs  files  called  Centaur  logs . 

Q  What  are  Centaur  logs? 

A  Those  are  net  flow  logs .     They  capture 

information    (INAUDIBLE)  — 

THE  PROSECUTION:     Objection,   Your  Honor. 
Outside  the  scope  of  the  direct. 

THE  COURT:  Sustained. 

THE  DEFENSE:     Your  Honor,   the  defense 
believes  the  government  has  opened  the  door  to  the 
Centaur  logs.     The  witness  has  testified  about  how  the 
Farah,    the  video  that's  the  subject  of  (INAUDIBLE) 
specifically.     He's  talked  about  how  documents  related 
to  Farah  have  ended  up  on  the  witness's  or  on  the,  my 
client ' s  machine .     And  we  think  that  talking  about  the 
Centaur  logs  would  give  the  court  the  complete  picture 
of  — 

THE  COURT:      Government,   what  is,  you're 
planning  on  addressing  the  Centaur  logs  later? 

THE  PROSECUTION:      In  conjunction  with 
Department  of  State  information,    Your  Honor. 

THE  COURT:      Is  there  anything  in  the 
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Centaur  logs,    I'll  ask  both  sides,   that's  relevant  to 
the  Farah  videos? 

MR.   HURLEY:      The  defense  believes  so,  Your 

Honor . 

THE  COURT:      I  will  overrule  the  objection 
to  the  extent  you ' re  talking  about  Farah . 

MR.   HURLEY:     Yes,  ma'am. 
BY  MR.  HURLEY 

Q  So  could  you  explain  again  what  are  Centaur 

logs? 

A  Net  flow  logs,    sir.      They're  sense  words 

throughout  the  DoD  network  and  they  measure,  they 
capture  the  flow  of  traffic.     We  don't  know  what  data 
is  transferred  between  two  computers . 

Q  So  if  you're  a  user  and  you  log  onto  the 

CENTCOM  server,  we're  going  to  see  the  IP  address 
associated  with  Agent  Shaver  has  connected  to  the 
CENTCOM  server  and  we'll  see  data  going  back  and  forth? 

A  Correct . 

Q  Now,   what  did  you  do  with  the  CENTCOM,  I'm 

sorry,    the  Centaur  logs? 
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A  Sir,    I  put  them  to  Excel  for  easier  review. 

THE  DEFENSE:      This  time  I'm  going  to 
retrieve  Defense  Exhibit  Charlie  for  identification. 

Agent  Shaver,    could  you  please  move  to  the 

panel  box. 

Q  I'm  handing  you  what ' s  been  marked  as 

Defense  Exhibit  Charlie  for  identification.     What  is 
t  hat  do  cument  ? 

A  Sir,    this  is  a  spreadsheet  I  created.  It 

shows  the  IP  address  of  the  remote  computer,  the 
computer  name  and  the  computer  name  contains  the  words 
CENTCOM  and  it  shows  the  total  number  of  connections 
and  the  total  data  transferred. 

Q  How  many  IPs  are  listed  there  that  you  have 

associated  with  CENTCOM? 

A  Seven . 

Q  And  when  you  created  this,   when  you 

reviewed  the  Centaur  logs,   well,    I'll  hold  off  on  that. 
Couple  more  questions  about  Centaur  logs  generally. 

Do  those  cover  net  data  flow  over  all  of 

DoD? 
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A  Yes  and  no . 

Q  Okay . 

A  Sensors  are  placed  throughout  the  network 

so,    say,    for  example,   this  room  is  a  network.     You  and 
I  could  communicate  all  day  long  there  won't  be  any 
sensor  communication .     As  soon  as  you  left  the  room  and 
the  sensor,   that's  when  it  would  log  it.      There  may  not 
have  been  any  sensors  within  the  actual  FOB  Hammer  or 
Iraq.      There  may  be  sensors  when  you  leave  country. 

Q  Okay . 

A  So  you ' re  not  going  to  get  a  complete 

picture  and  also  Centaur  logs,    sensor,   they  go  down,  so 
Centaur  logs  are  not  a  complete  picture .     There  are 
fortunately  large  breaks  of  data  where  there ' s  no 
information . 

Q  Sure.     And,    in  fact,    in  the  Centaur  logs 

that  you  reviewed  there  were  large  gaps  in  data, 
correct? 

A  Yes,  sir. 

Q  What  was  the  timeframe  of  the  Centaur  logs 

that  you  reviewed  in  this  case? 
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A  I  want  to  say  October  2009  to  May  2010. 

Q  And  the  Centaur  Logs  you  reviewed  included 

activity  between  the  22  and  40  machine  and  other 
servers  throughout  DoD,  correct? 

A  Correct . 

Q  Directing  your  attention  back  to  Defense 

Exhibit  Charlie  for  identification.     You  mentioned  that 
there ' s  a  column  there  that  talks  about  how  much  data 
was  actually  transferred,  correct? 

A  Correct . 

Q  If  you  could  just,   you  said  there  were 

(INAUDIBLE)  certification? 
A  Correct . 

Q  How  much  data  was  transferred? 

A  Ish? 

Q  Ish.      Thank  you. 

A  Maybe  2  0  megs . 

MR.   HURLEY:      I'm  going  to  retrieve  this 
exhibit  for  identification  from  the  witness  and  offer 
it  as  Defense  Exhibit  Charlie . 

THE  PROSECUTION:     We'd  object,    Your  Honor, 
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based  on  lack  of  foundation. 

THE  COURT:     You're  the  ones  that  objected. 
If  you  go  more  in  depth  to  the  Centaur  logs. 

THE  PROSECUTION:     We  object  on  that  basis 
that  it's  outside  the  scope  of  direct. 

THE  COURT:      I  understand  that  but  I  told 
him  I'm  limiting  him  to  going  with  —  let  me  put  it 
this  way .     Does  the  government  believe  there  may  be 
additional  foundation  with  respect  to  the  Centaur  logs 
without  going  beyond  what  I  said  with  Farah? 

THE  PROSECUTION:     Your  Honor,  we'll 
withdraw  the  objection. 

THE  COURT :      Thank  you . 

Exhibit  Charlie  for  identification  is 

admitted. 

MR.   HURLEY:      I'm  now  retrieving  what's  been 
marked  as  Defense  Exhibit  Delta  for  identification. 

I'm  handing  the  witness  Defense  Exhibit 
Delta  for  identification. 
BY  MR.  HURLEY: 

Q  Agent  Shaver,   what  is  that? 
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A  Sir,    this  is  an  Excel  spreadsheet.  I 

created . 

Q  What  SD  memory  does  that  Excel  spreadsheet 

show? 

A  It  shows  the  source  and  destination  IPs, 

the  netflow  data  on  the  data  that  was  captured,  traffic 
that  was  captured . 

Q  What  IPs  did  you  capture  in  the  source  IP 

column? 

A  Those  would  be  the  CENTCOM  servers . 

Q  Would  those  be  the  same  IPs  from  Defense 

Exhibit  Charlie? 

A  Can  I  see  them  to  verify? 

Q  Sure . 

A  Thanks . 

Q  I'm  handing  the  witness  Defense  Exhibit 

Charlie . 

A  Thank  you,  sir. 

(Witness  reading.) 
A  Yes,  sir. 

Q  You  said  you  created  Defense  Exhibit  Delta 
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for  identification.     How  did  you  create  that  document? 

A  Sir,    since  there  was  an  Excel  spreadsheet  I 

simply  filtered  on  the  IPs  that  result  back  to  the 
CENTCOM  main. 

Q  So  the  source  IP  column  includes  the  IPs 

from  CENTCOM,  correct? 

A  Correct . 

Q  And  the  destination  IPs  are  what? 

A  Either  dot  40  or  dot  22. 

Q  So  you  would  agree  with  me  that  Defense 

Exhibit  Delta  for  identification  includes  the  netflow 
data  between  CENTCOM  servers  and  the  22  and  4  0  machines 
that  was  captured  by  the  Centaur  logs? 

A  Correct . 

Q  And  again  you  mentioned  there  are  gaps  in 

the  Centaur  logs? 
A  Yes . 

Q  Is  there  any  gaps  reflected  in  Defense 

Exhibit  Delta  for  identification? 
A  (INAUDIBLE) . 

Q  Again,   those  gaps  are  because  sensors  go 
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down? 

A  Yes,  sir. 

Q  Or  there  could  be  gaps  because  there ' s  no 

activity? 

A  Correct . 

Q  We  do  know  that  you  would  agree  with  me 

it ' s  not  because  of  anything  that  the  user  would  have 
done? 

A  Correct . 

Q  It  wouldn ' t  have  been  PFC  Manning  who 

tampered  with  Centaur  logs  and  forced  them  to  not 
gather  data? 

A  Correct . 

Q  That ' s   just  something  that  happens .     Now,  I 

want  to  talk  about,    I  guess  at  this  time,   Your  Honor, 
we  would  offer  Defense  Exhibit  Delta  for  identification 
as  Defense  Exhibit  Delta? 

THE  PROSECUTION:     Delta  or  Charlie? 

THE  COURT:      They've  admitted  Charlie.  This 

is  Delta. 

THE  PROSECUTION:     No  objection. 
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THE  COURT:     May  I  see  it? 

MR.   HURLEY:     Retrieving  Defense  Exhibit 
Delta  from  the  witness . 

THE  COURT:     Exhibit  Delta  is  admitted. 
BY  MR.  HURLEY: 

Q  Agent  Shaver,   yesterday  you  spoke  about  a 

number  of  Intelink  log  searches.     Do  you  recall  that? 
A  Yes . 

Q  We  talked  about  searches  that  were  related 

to  Farah? 

A  Correct . 

Q  One  such  search  was  on  30  November  by  the 

dot  40  machine  —  I  will  retrieve  Prosecution  Exhibit 
81,  please. 

MR.   HURLEY:     Your  Honor,    the  Prosecution 
Exhibit  that  I'd  like  the  witness  to  reference  is  in 
(INAUDIBLE)    right  now. 

THE  COURT:      Is  this  a  good  time  to  take  a 
brief  recess?     Can  someone  go  get  it? 

THE  PROSECUTION:      Someone  has  gone  to  get 

it. 
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THE  COURT:      Is  it  still  a  good  time,  how 
long  is  it  going  to  take  them  to  get  it  do  you  think? 

THE  PROSECUTION:     Probably  two  or  three 

minutes . 

THE  COURT:  Okay. 

THE  PROSECUTION:      Or  less. 

THE  COURT:     We  can  wait.      Court  is  recess 
in  place.      The  witness  will  remain  in  the  witness  box. 
Feel  free  to  move  around. 

(Brief  recess . ) 

THE  COURT:     Please  proceed.     All  parties 
present  at  the  last  recess  were  present . 

MR.   HURLEY:      I'm  going  to  retrieve 
Prosecution  Exhibit  81  and  hand  that  to  the  witness . 

Before  we  get  going  on  that,    I'll  retrieve 
Defense  Exhibit  Charlie  from  you. 
BY  MR.  HURLEY: 

Q  Okay.     We're  on  prosecution  Exhibit  81. 

You ' re  able  to  see  all  the  Intelink  searches  that 
you've  associated  with  my  client,  correct? 
A  Two  computers;   yes,  sir. 
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Q  And  the  first  such  search  that  implicates 

Farah  would  have  been  on  30  November. 

THE  COURT:      That  would  be  2009. 
MR.   HURLEY:     Yes,  ma'am. 
A  Yes,  sir. 

Q  And  that  was  the  dot  40  machine? 

A  Yes,  sir. 

Q  Okay .      I'd  like  you  to  now  look  at  the 

Centaur  logs  on  30  November. 

Would  you  agree  with  me  that  there  was  no 
data  transferred  between  CENTCOM  and  the  22  or  4  0 
machine  on  30  November? 

A  I  have  no  logs  from  that  date . 

Q  There  are  no  logs  from  that  date .     So  you 

would  agree  there ' s  no  evidence  that  any  data  was 
transferred  from  the  CENTCOM  server  and  the  22  or  the 
4  0  machine? 

A  There ' s  —  there  may  have  been  data .  I 

can't  tell. 

Q  Right .     Okay .      So  the  Centaur  logs  don ' t 

show  any  activity? 
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A  Correct . 

Q  On  30  November? 

A  Correct . 

Q  Now,    the  next  search  we  have  is  9  December 

by  the  dot  40  machine;    is  that  correct? 
A  One  moment .      Correct . 

Q  And  that  was  the  dot  40  machine  looking  at 

the  Centaur  logs .     You  would  agree  with  me  that  there 
is  no  evidence  that  data  was  transferred  on  that  day 
either? 

A  I  have  no  entries  from  December  9,  correct. 

Q  Our  next  search  is  on  15  November  2009. 

Again,    that's  the  dot  40  machine? 
A  15  December. 

Q  Yes,  sir. 

A  Yes,  sir. 

Q  And  looking  at  the  Centaur  logs? 

A  I  have  no  information. 

Q  Okay.     So  there's  no  evidence  of  a  transfer 

on  15  November? 

A  Right . 
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Q  Okay.     Let's  look  at  the  next  date,  the 

16th  of  December  2009,    again,    the  dot  4  0  minute? 

A  Correct .      I  have  no  log  of  that . 

Q  So  no  data  transferred  on  the  16th  of 

December? 

A  Correct . 

Q  All  right.     Now,   we  have  what  would  be 

December  31st,   again,   the  dot  40  machine. 

THE  COURT:     What  was  the  date? 
MR.   HURLEY:      I'm  sorry,    the  31st  of 
December,  ma'am. 

A  I  do  not  have  a  31  December. 

Q  You  have  a  search  for  CENTCOM? 

A  I  do. 

Q  Did  you  do  30  December  or  31? 

A  31  December  I  do  have  a  search,    Intel  Link, 

on  Centaur  I  have  no  data  transferred. 

Q  No  data  transferred  on  Centaur,    okay.  Now, 

we  have  2  January,    2010.     And  we  have  a  search  on  the 
dot  40  machine,  correct? 

A  Yes,  sir. 
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Q  And  the  Centaur  logs  do  show  a  transfer  on 

that  day? 

A  That  is  correct . 

Q  And  that  transfer  was   637  kilobytes, 

correct? 

A  I  don't  have  a  calculator,  sir. 

Q  Is  it  637,547  bytes? 

A  Well,   no.      I  would  —  2  January,    there  are 

numerous  entries .     Each  had  bytes .     You  would  have  to 
total  that  up . 

THE  COURT :     Meaning  where  entries  were 
searched  or  for  Centaur? 

A  Centaur  has  numerous  entries  and  each  one 

shows  how  many  bytes  were  transferred  for  each  entry. 
I'm  sorry,    there's  quite  a  few  numbers  here. 

Q  What ' s  the  first  one? 

A  First  byte  38315.     Do  you  want  me  to  go 

through  all  of  this? 
Q  Yes . 

A  29185,    168442,    146880,    5888,    2028.  35138. 

21597.      19932,    34797,    7562,    2158,    36338,    21597,  5293, 
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23875,    32333,    3816,    and  2373. 

Q  Okay .     Would  you  agree  with  me  that  that 

comes  out  to  about  600  megs  or  600  kilobytes? 
A  Sure . 

THE  COURT :     Do  you  know  or  you  don ' t  know? 
THE  WITNESS:     No,    I  don't  know,   ma'am.  I 
need  a  calculator.      I  apologize. 

THE  COURT:     No  reason  to  apologize. 
BY  MR.  HURLEY: 


Q  Agent  Shaver,   would  you  agree  with  me  that 

if  you  were  to  add  up  all  of  that,   all  those  bits  and 
bytes,   that  would  not  be  a  enough  to  transfer  a  video? 

A  Correct .      I  would  agree  with  you  on  that . 

Q  Our  next  Intelink  search  is  on  4  January? 

A  Yes,  sir. 

Q  And  that's  the  dot  40  machine  again? 

A  Yes,  sir. 

Q  And  there ' s  no  evidence  in  the  Centaur  logs 

of  data  transferred  on  that  day;   is  that  correct? 
A  That ' s  correct . 

Q  Our  next  search  is  on  19  February? 
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A  Yes,    sir,    I  see  it. 

Q  Do  you  say  data  transferred  on  that  day? 

A  I  do  as  well . 

Q  Are  there  multiple  instances  of  data 

transfer? 

A  Yes,    sir,    there  are. 

Q  How  many? 

A  I  have  two . 

Q  Would  you  agree  that  those  two  add  up  to 

about  252  kilobytes? 

A  (No  answer . ) 

Q  Let  me  ask  you  this,   Agent  Shaver:  Would 

you  agree  on  19  February  there  wasn't  enough  data 
transferred  to  transfer  one  of  the  zip  files  containing 
the  video  from  CENTCOM? 

A  Yes,  sir. 

Q  Okay.     Now,    let's  look  at  28  February. 

A  Yes,  sir. 

Q  Do  we  see  a  search  on  28  February? 

A  I  do. 

Q  Again  the  dot  4  0  machine? 
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A  Yes,  sir. 

Q  And  was  there  data,   there  was  data 

transferred  on  that  date,  correct? 
A  Yes,    sir;    it  was. 

Q  How  many  instances  of  data  transferred? 

A  Thirteen . 

Q  Okay .     And  would  you  agree  with  me  that 

there's  not  enough  data  transferred  on  that  day  to  have 
transferred  any  of  the  zip  files  contained  in  the 
video? 

A  Yes,  sir. 

Q  Let's  look  at  12  March. 

There's  a  search  on  12  March  by  the  dot  22 

machine? 

A  Yes,  sir. 

Q  And  we  do  see  data  transferred  on  that  day, 

correct? 

A  Yes,  sir. 

Q  How  many  instances  of  transfer  are  there? 

A  I  count  29. 

Q  And  if  you  add  all  those  up,   you  would 
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agree  with  me  that  that ' s  not  enough  to  have 
transferred  one  of  the  zip  folders  containing  the  video 
from  CENTCOM? 

A  Yes,  sir. 

Q  Our  next  search  is  on  17  March  on  the  22 

machine . 

A  Yes,  sir. 

Q  And  there ' s  no  evidence  of  any  data 

transferred  on  that  day,  correct? 

A  One  moment.      Correct,  sir. 

Q  Now,    our  last  Intelink  search  is  on  22 

March,  correct? 

A  One  moment .      Correct . 

Q  And  that  was  the  only  search  that  actually 

specifically  references  Farah,    isn't  it?     Of  all  the 
Intelink  searches  that  you've  looked  at  so  far,  that's 
the  only  one  that  implicates  Farah? 

A  Correct . 

Q  And  there  was  data  transferred  on  that 

date? 

A  March,   yes,  sir. 
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Q  There  are  quite  a  few  instances  of  data 

transferred  on  that  date? 
A  Yes,  sir. 

Q  You  would  agree  with  me  if  you  added  all 

those  up,    it  wouldn't  be  enough  to  transfer  one  of  the 
videos  from  the  CENTCOM  server,  correct? 

A  Yes,  sir. 

Q  And  you  would  also  agree  with  me  that  the 

CENTCOM  server  logs  that  you  reviewed  when  we  talked 
about  earlier,   those  showed  activity  on  22  March  as 
well,  right? 

A  Correct . 

Q  And  that  was  activity  where  we  saw  jpegs 

and  PDFs  and  PowerPoint s  we  looked  at,  correct? 

A  I'm  sorry,    sir,    I  believe  that  was  April  — 

Q  I'm  sorry,    that's  correct.  Okay. 

Agent  Shaver,    I'm  going  to  take  those 
exhibits  back  from  you.      I'm  handing  Prosecution 
Exhibit  81  back. 

Agent  Shaver,    you  can  move  back  to  the 
witness  stand. 
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(Witness  complies . ) 

Q  Agent  Shaver,    you  would  agree  with  me  that 

there  were  no  instances,   there's  no  evidence  of  any,  of 
data  being  transferred  from  the  CENTCOM  servers  to  the 
22  or  the  40  machines  in  a  volume  large  enough  to  have 
transferred  one  of  the  videos  that  the  CENTCOM  server 
posted? 

A  Right . 

Q  And  you  would  agree  with  me  that  the  only 

instance  of  a  video  that  is  any  way  associated  with 
Farah  that  was  found  on  the  22  or  the  4  0  machine  was 
actually,   actually  came  from  the  T-drive? 

A  Okay.     Yes,  sir. 

Q  And  that  was  on  17  April? 

A  I  don ' t  remember  the  date . 

Q  But  it  was  in  April? 

A  Yes,  sir. 

Q  No  further  questions.      Thank  you. 

THE  COURT:  Redirect. 

THE  PROSECUTION:      Ten  minute  recess,  Your 

Honor? 
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THE  COURT:     All  right.     Agent  Shaver,  same 
rules  apply  during  recess .      Court  is  in  recess  until  22 
minutes  after  17  00  or  five  o'clock. 
(Brief  recess . ) 

THE  COURT:     Be  seated.     All  parties  are 
present  when  the  court  last  recessed  are  in  the  court. 
The  witness  is  in  the  witness  box. 

REDIRECT  EXAMINATION  BY  MR.  MORROW: 
Q  Agent  Shaver,   was  the  Wget  program  embedded 

as  part  of  the  NCD  server? 
A  No,  sir. 

Q  And  how  does  one  download  documents  or 

cables  from  the  NCD  server    (INAUDIBLE) ? 

A  You  go  to  the  website  and  select  the  files 

you  want  and  download  them. 

Q  Now,   what  does  Wget  allow  you  to  do  when 

downloading  documents  from  any  server,   NCD  or 
otherwise? 

A  Automates  it,   more  robust,    if  there's  a  bad 

connection  it  will  retry. 

Q  What  are  some  other  technical  benefits  of 
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Wget  when  downloading  documents? 

A  Faster .     You  can  run  it  in  the  background . 

You  can  rename  files . 

Q  How  much  faster  is  Wget? 

A  Conservatively,    sir.      It  all  depends  though 

on  the  network  segment  you're  on.      If  you're  on  a  good 
segment  it ' s  fast  but  it  would  be  faster  if  you  had  a 
good  segment.      If  you're  on  a  poor  connection  it  would 
automate  it.      It  would  be  faster  than  the  (INAUDIBLE) 
one . 

Q  I'd  like  to  talk  about  the  videos  again  on 

the  CENTCOM  SharePoint .     What  was  the  naming  convention 
of  the  CENTCOM  Farah  videos,    or  the  videos  associated 
with  Farah  that  were  on  the  Sharepoint  Server? 

A  BE22 . 

Q  Was  that  true  of  all  the  videos  on  there? 

A  Yes,  sir. 

Q  What  was  the  naming  convention? 

THE  COURT:     What  is  a  naming  convention? 
MR.   MORROW:      Just  the  file  name. 
THE  COURT:  Okay. 
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BY  MR.  MORROW: 

Q  What  was  the  file  name?     What  was  the  file 

name  of  the  dot  WMV  file  or  the  video  file  on  the 
T— drive  that  you  said  was  associated  with  Farah? 

A  It  was  a  TGTl  dot  WMV. 

Q  Now,    can  you  tell  whether  the  videos  on  the 

CENTCOM  Sharepoint  Server  with  the  file  names  of  BE22, 
et  cetera  are  the  same  videos  or  the  same  video  that 
appeared  to  be  associated  with  Farah  on  the  T— drive? 

A  No,    sir,    I  didn't  have,    couldn't  recover 

the  file,    TGTl,    to  compare. 

Q  Again,   when  you  searched  the  unallocated 

space  on  the  dot  40  and  dot  22  computers,   were  you  able 
to  find  any  videos? 

A  No,  sir. 

Q  No  remnants  of  any  videos? 

A  I  didn't  find  complete  videos.     Video  files 

are  complex.      If  you  find  a  part  of  it,    it  probably 
won't  play.     So  you  need  to  find  basically  the  entire 
video  to  make  it  work  right . 

Q  I  want  to  ask  you  about  the  NT  user  file. 
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What  is  that  again  please? 

A  Sir,    that's  NT  user  dot  net  is  a  registry 

file.      It  maintains  settings.     For  each  individual  user 
has  one.     So,   again,   the  easiest  way  to  do,   to  explain 
it  again,    if  you  have  office  documents  and  you  go  file 
open  it  and  shows  the  last  10,   that's  where  that's 
maintained . 

Q  So  the  NT  user  file  would  show  you  sort  of 

the  last  10,    if  it  was  the  WMV  or  video  file  version, 
it  would  show  the  last  10  videos  that  were  opened? 

A  Associated  with  that  extension. 

Q  Okay.     Now,   if  a,    let's  say  a  zip  file  had 

a  WMV  embedded  and  it  was  encrypted  or  password 
protected,   would  the  NT  user  file  capture  a  video  that 
wasn ' t  actually  opened? 

A  Not  in  that  scenario. 

Q  Why  is  that? 

A  Because  it  would  be  a  zip  file  and  it  would 

be  also  password  protected. 

Q  So  the  password  protected  would  prevent  it 

from  being  logged  in  the  NT  user? 
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A  Correct . 

Q  Now,    so  let  me  circle  back  then.     What  does 

it  tell  you  if  the  TGTl  was  in  the  NT  user  file? 

A  It  was  not  password  protected  and  it  was 

viewed . 

Q  So  it  was  viewed  or  opened? 

A  Right . 

Q  Especially  we  talked  about  this  awhile  ago, 

but  you  reviewed  the  Lamo  chat  logs  as  part  of  this 
investigation,  correct? 

A  Yes,    sir.      I  did. 

Q  And  I'd  like  to  retrieve  Prosecution 

Exhibit  30 . 

Agent  Shaver,    Prosecution  Exhibit  30  are 
the  Lamo  user  chat  logs .      Can  you  just  review  them  very 
briefly . 

(Witness  reading.) 
A  Yes,  sir. 

Q  And  you  recall  reviewing  these  chat  logs 

prior  to  the  case,  correct? 
A  Yes,  sir. 
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MR.   MORROW:      I'm  retrieving  the  Exhibit 
from  the  witness . 

Your  Honor,   permission  to  publish? 

THE  COURT:      Go  ahead. 
BY  MR.  MORROW: 

Q  Agent  Shaver,    I'm  publishing  page  12  of  the 

chat  logs . 

Are  you  able  to  read  that? 
A  Yes .      Can  you  make  it  a  little  bigger? 

Q  Yep. 

A  Little  easier  to  read. 

Okay . 

Q  Now,    I'd  like  you  to  start  with  the  entry, 

starting  with  2:14:46  p.m.      Can  you  read  down  from 
there? 

A  Sure.     Yes,    sir.     Based  upon  the 

description  he  gave  me  I  assessed  it  was  the  northern 
European    (INAUDIBLE)    security  team  trying  to  figure  out 
how  he  got  the    (INAUDIBLE)    cable.      They  also  caught 
wind  that  he  had  a  video  of  the  Gharani  airstrike  in 
Afghanistan  which  he  has  but  he  hasn't  decrypted  yet. 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


132 

The  detection  team  was  working  on  the  Baghdad  strike 
(INAUDIBLE)   which  was  never  really  encrypted. 

Next  line  he  got  the  whole  156  for  the 
incident,    so  it  won't  be  just  a  video  with  no  context. 

Next  line,   but  it's  not  nearly  as  damning. 
It  is  an  awful  incident,   but  nothing  like  the  Baghdad 
one . 

Q  Let  me  stop  you  there .     Based  on  the 

description  of  the  Gharani  video  and  these  chat  logs 
and  what  you  observed  in  the  NT  user  file  with  the  WMV 
so  TGTl.wmv,   what  does  that  tell  you? 

A  This  chat  makes  it  sound  like  they  had  the 

password  protected  one,   they  have  a  password  protected 
version  of  the  videos  and  they're,   they  have  not 
decrypted  it . 

Q  Thank  you.      I'm  going  to  show  you  page  4  6 

as  well . 

Here  I'd  like  you  to  read  from  4:33:21  p.m. 
A  Anything  else  interesting  on  this  table  as 

a  former  collector  of  interesting.com  info. 

Next  line  IDK,    I  don't  know.      I  only  know 
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what  I  provided  him. 

Next  line,   what  do  you  consider  the 

highlights . 

Next  line,  the  Gharani  airstrike  videos  and 
for  report  Iraq  war  event  log,  the  Gitmo  papers  and  the 
State  Department  cable  database . 

Q  Thank  you,   Agent  Shaver. 

THE  COURT:     Do  we  have  another  recross? 

THE  PROSECUTION:      I  have  some  more.  I'm 

sorry . 

I'm  handing  Prosecution  Exhibit  30  back  to 
our  court  reporter . 
BY  THE  PROSECUTION: 

Q  Agent  Shaver,    let's  talk  briefly  about 

Centaur  logs .     What  do  they  capture? 

A  Netflow  information,    destination  port, 

source  board  amount  of  data  transferred,   date  and 
times . 

Q  When  you  reviewed  the  Centaur  logs 

reflected  in  this  case,   did  you  observe  any  large  data 
gaps  in  those  logs? 
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A  Yes,  sir. 

Q  Approximately  what  was  the  time  period  of 

those  gaps? 

A  End  of  December  was  one  of  the  gaps .  There 

were  several  other  ones.      I  don't  recall  specific  dates 
off  the  top  of  my  head. 

Q  Do  you  recall  a  gap  between  November  19th 

and  1  December? 

A  Yes,  sir. 

Q  And  based  on  your  review  of  that  gap,  do 

you  think  that  there  was  no  activity  at  that  time  or 
did  you  think  that  there  was  something  wrong  with  the 
Centaur  sensors? 

A  Sure,   there  was  something  wrong  with  the 

sensors . 

Q  Why  do  you  say  that? 

A  Sir,    computers  on  a  domain,    they  have  to 

communicate  with  the  domain  server .     But  more  than  that 
they  want  to  update .     One  of  the  things  they  update  is 
antivirus  and  time.      The  time  protocol  is  used  to  keep 
all  the  computers  in  sync  with  each  other  because  time 
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and  antivirus  was  not  going  on  during  those  timeframes, 
either  the  computer  was  off  or  there  was  a  problem  with 
the  sensor . 

Q  So  did  you  not  observe  any  updating  of  time 

or  antivirus  at  that  time? 

A  Correct . 

MR.   MORROW:      I'd  like  to  retrieve  Defense 
Exhibit  Delta . 
BY  MR.  MORROW: 

Q  Agent  Shaver,    I'd  ask  you  to  move  over  to 

the  panel  box  again . 

Agent  Shaver,    I'm  handing  you  Defense 
Exhibit  Delta .     Please  explain  again  what  is  Defense 
Exhibit  Delta? 

A  It ' s  netf low  logs .     But  it ' s  to  and  from 

servers,    CENTCOM  servers. 

Q  All  the  CENTCOM  servers  that  you  were  able 

to  find? 

A  Correct . 

Q  And  to  where? 

A  To  and  from  dot  40  and  dot  22. 
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Q  Now,   please  show  me  in  the  Centaur  logs  the 

activity  on  10  April. 

A  There  are  no  logs  for  April . 

Q  There's  no  activity  in  the  Centaur  logs 

relating  to  10  April  2010? 

A  Correct . 

Q  What  does  that  tell  you  based  on  what  you 

saw  in  the  index  dot  dat  file  in  PFC  Manning's  dot  22 
computer? 

A  These  logs  were  not  captured  that  day. 

Q  Is  it  fair  to  assume  that  Centaur  logs  are 

not  a  perfect  logging  system? 
A  That ' s  correct . 

Q  Because  there  are  some  gaps  in  the  logs? 

A  Yes,  sir. 

Q  Now,   Agent  Shaver,    you  can  move  back  to  the 

witness  stand,  please. 

A  (Witness  complies.) 

Q  Let ' s  talk  again  about  you  were  shown  some 

Intel  Link  logs  again . 

What  does  Intel  Link  capture  when  you 
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search  for  something? 

A  It  will  capture  the  key  word  searched  and 

things  that  you  click  on.     Search  results  that  you 
view . 

Q  What  happens  if  you  click  on  a  result  that 

comes  back  in  the  Intel  Link  logs  or  as  a  result  of 
search  in  intelligence  analyst? 

A  If  it's  on  the  intelligence  analyst  it 

should  show  you  to  either  download  a  document  or  visit 
a  web  page . 

Q  So  it  will  sort  of  direct  you  to  somewhere 

else? 

A  It  could. 

Q  It  could. 

Well,    let's  say,   what  happens  if  Intel  Link 
redirects  you  to  another  server? 

A  It's  no  longer  a  part  of  Intelink.  It 

passes  that  information  off  to  the  other  server  so 
there  would  be  no  entries  within  Intelink  because  it ' s 
no  longer  part  of  the  Intelink,   well,  world. 

Q  And  so  is  it  fair  to  say  that  Intelink 
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doesn't  capture  activities  on  other  servers? 
A  That ' s  correct . 

Q  Now,    if  you  viewed  a  video  on  another 

server,   would  Intelink  capture  that  capacity? 
A  Maybe . 

Q  Maybe . 

Explain . 

A  Depends  where  the  server,   where  that  file 

is  . 

Q  If  you  downloaded  a  video  from  another 

server,   would  Intel  Link  capture  that  activity? 

A  Depends  where  the  server  or  where  it  is . 

Q  If  you  clicked  on  a  result  and  were 

redirected  would  Intel  Link  capture  that  activity? 
A  Probably  not . 

THE  PROSECUTION:     No  further  questions. 

THE  COURT:  Recross? 

MR.   HURLEY:     Yes,  ma'am. 

RE-CROSS  EXAMINATION  BY  MR.  HURLEY: 

Q  Agent  Shaver? 
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A  Hello,  sir. 

Q  You  just  talked  with  Captain  Morrow  about 

the  Lamo  chats .     You  would  agree  with  me  that  PFC 
Manning  never  said  that  he  gave  the  Farah  video  or  the 
Gharani  airstrike  video? 

A  Correct . 

Q  And  he  never  said  that  he  gave  them  an 

encrypted  version  of  the  video? 

A  Well,   there  was  something  he  mentions, 

obviously  something  with  encryption  and  password. 

Q  He  mentioned  that  WikiLeaks  had  an 

encrypted  version,  correct? 

A  Yes . 

Q  But  he  didn ' t  actually  claim  to  have  given 

them  an  encrypted  version? 
A  Correct . 

Q  You  would  agree  with  me  that  it ' s  possible 

that  PFC  Manning  found  an  unencrypted  version  and  then 
provided  that  to  WikiLeaks? 

A  Anything  is  possible. 

Q  Now,   you  talked  about  some  of  the  gaps  in 
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the  Centaur  logs .     Were  there  gaps  in  the  CENTCOM 
server  logs? 

A  Not  to  my  knowledge . 

Q  And  you  testified  before  that  the  BEPAX 

videos  had  been  accessed  twice,   according  to  the 
CENTCOM  server  logs? 

A  Correct . 

Q  One  of  those  was  on  28  January? 

A  Yes,  sir. 

Q  And  one  of  them  was  on  23  February? 

A  Correct . 

Q  Both  of  those  in  2010? 

A  Correct . 

Q  Nothing  in  2009? 

A  Correct . 

Q  You  would  agree  with  me  that  there ' s  no 

evidence  of  PFC  Manning  or  the  22  machine  or  the  dot  4  0 
machine  accessing  a  file  called  BE22PAX.zip,  correct? 

A  Correct . 

Q  Do  you  have  any  knowledge  of  whether  or  not 

WikiLeaks  ever  told  PFC  Manning  that  they  had  an 
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encrypted  version? 

A  I  would  have  no  knowledge  of  that . 

Q  Did  you  review  any  chats  between  PFC 

Manning  and  a  person  associated  with  WikiLeaks? 

A  As  part  of    (INAUDIBLE),  yes. 

Q  Did  you  know  about  a  2008  regarding 

WikiLeaks  that  (INAUDIBLE)? 

A  I  knew  about  it  later . 

Q  So  you ' re  aware  on  8  January  WikiLeaks 

apparently  — 

THE  COURT :      8  January  of  what  year? 

Q  2010,   ma'am,    2008  that  they  had  an 

encrypted  version? 

A  I  don ' t  remember  the  date  but  I  remember 

there  being  a  2008. 

Q  And  that  was  before  any  chats  between  PFC 

Manning  and  Adrian  Lamo? 

A  Yes . 

Q  Those  chats  were  in  May? 

A  Correct . 

Q  And  again  in  those  chats  he  never  said 
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that,   he  never  said  I  sent  them  an  encrypted  version? 
A  Right . 

Q  He  just  said  he ' s  aware  that  WikiLeaks  has 

an  encrypted  version? 
A  Yes,  sir. 

MR.   HURLEY:     Nothing  further,    Your  Honor. 
THE  COURT:     Do  you  have  redirect? 
MR .   MORROW :     Final .      Three  or  four 
questions,    Your  Honor. 

THE  COURT:  Okay. 

REDIRECT  EXAMINATION  BY  MR.    MR.  MORROW: 
Q  Agent  Shaver,   page  4  6  of  the  logs  we  just 

saw,    did  PFC  Manning  admit  to  providing  the  Gharani 

airstrike  videos  to  WikiLeaks? 

A  I  got  to  review  it  again,    sir,    I'm  sorry. 

Q  Yes.     Prosecution  Exhibit  number  30, 

please . 

If  you  could  just  refer  to  page  46.  Again 
if  you  would  just  read  out  loud  from  anything 
interesting  as  a  collector  or. 

(Witness  reading.) 
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Q  Sir,    let  me  help  you  on  it.     We'll  do  it 

this  way . 

Just  start  with  the  entry  at  4:33:44  p.m.? 
A  IDK,   which  commonly  stand  for  I  don ' t  know . 

I  only  know  what  I  provided  him. 

Next  line  for  Mr.   Lamo,   what  do  you 
consider  the  highlights?     The  Gharani  airstrike  videos 
and  full  report  Iraqi  war  event  log,    the  Gitmo  papers 
and  the  State  Department  cable  database . 

Q  That's  good.      Thank  you,   Agent  Shaver. 

Agent  Shaver,    I  want  to  talk  about  the 
CENTCOM  Sharepoint  Server  logs  again . 
A  Yes,  sir. 

Q  Did  you  observe  or  did  you  have  logs 

collected  in  this  case  before  1  December  2009? 
A  No,  sir. 

Q  Why  is  that? 

A  Because  they  didn ' t  exist .     The  logs  rotate 

and  we  collected  them  in  July  2010  and  that's  as  far 
back  as  they  went . 

Q  So  1  December  2009  was  as  far  back  as 
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CENTCOM  had? 

A  Correct . 

Q  And  when  is  Thanksgiving  generally  in  the 

year,   what  month? 

A  November . 

Q  Usually  around  what  date  of  November? 

A  27th. 

Q  Thank  you. 

MR.   MORROW:     No  further  questions. 

THE  COURT :     All  right .      I  have  a  few . 

EXAMINATION  BY  THE  COURT: 
Q  The  first  one,    can  you  clear  up  some 

confusion  for  me.      I  hear  Farah  video,    Gharani  video. 
Are  those  the  same  things,   are  they  different? 
A  The  same  thing. 

Q  Okay .     Let  me  see  if  I  understand  what  I 

thought  your  testimony  was . 

The  Gharani  video  was  only  accessed, 
according  to  the  records,    twice  from  or  the  Gharani 
video  from  the  Centaur  logs.     There's  no  evidence  it 
was  ever  transferred  from  CENTCOM  to  the  dot  22  or  the 
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dot  40? 

A  Correct . 

Q  Or  at  least  as  file  name  BE22PAX . wmv? 

A  The  zip  file    (INAUDIBLE),   yes,  ma'am. 

Q  And  there  was  a  video  with  that  file  name 

on  either  the  dot  22  or  the  dot  4  0  computer? 
A  No ,   ma ' am . 

Q  What  was  on  the  dot  22  or  dot  40  computer? 

A  There  was  another  video  that  was  identified 

through  the  restore  points  that  was  called  TGTl .  Tango 
Gulf  Tango  1 . 

Q  Okay . 

A  However,    I  have  a  file  name,    I  don't  have, 

actually  the  video . 

Q  Do  you  know  if  it  is  a  Farah  video? 

A  The  folder  it  was  in  was  called  Farah  but 

the  actual  contents  of  the  video  I  do  not  know. 

Q  And  why  is  that? 

A  It  was  deleted,   overwritten,   and  I  cannot 

recover  it . 

Q  I  believe  you  testified  you  said  that  that 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Afternoon  Session 


146 

file  came  from  the  T— drive? 

A  Yes .      It  was  on  the  T— drive  as  well  by  file 

name  and  then  it,    it  was  in  Manning,    Bradley  dot 
Manning  user  profile. 

Q  So  it  was  in  both  the  T— drive  which  is  the 

shared  server  drive? 

A  Correct . 

Q  And  in  PFC  Manning's  user  profile? 

A  Correct . 

Q  On  the  T— drive  could  you  view  it? 

A  No,   ma'am.     We  did  not  collect  that.  That 

portion  was  not  collected. 

Q  So  do  you  know  what  the  video  with  that 

same  file  name,   what  was  the  file,   the  TGT  video  on  the 
T— drive  was? 

A  No ,   ma ' am . 

Q  If  you  don't  know  the  answer  to  this  just 

tell  me .  Did  you  all  have  Centaur  logs  that  captured 
data  from  the  CENTCOM  share  file  to  the  T-drive? 

A  No ,   ma ' am . 

Q  Do  you  know  when  the  TGT  file,    how  long  it 
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was  on  the  T— drive  when  it  got  there? 

A  No,   ma'am.      I  could  tell  you  the  first 

incident  it  was  on  the  Bradley  dot  Manning  file  was 
March  was  the  first  entry  concerning  that.  2010. 

THE  COURT :      I  think  that ' s  all  I  have . 
Any  follow— up  based  on  that? 
MR.   MORROW:     One  moment,    Your  Honor. 
REDIRECT  EXAMINATION  BY  MR.  MORROW: 
Q  Agent  Shaver,    just  to  clarify,   what  does 

Centaur  actually  capture? 

A  Transfers  between  two  computers . 

Q  Does  Centaur  capture  actual  files? 

A  No,    sir,   but  it  does  capture  the  amount  of 

data  transferred. 

RE-RECROSS  EXAMINATION  BY  MR.  HURLEY: 
Q  Agent  Shaver,    the  Centaur  logs  that  you 

reviewed  were  only  Centaur  logs  that  involved  the  22 
and  40  machine;    is  that  correct? 
A  That ' s  correct . 

Q  I  believe  the  judge  asked  you  if  there  was 

any  Centaur  logs  data  showing  transfer  from  the  Centaur 
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to  the  T  Drive  but  you  didn ' t  review  any  of  that 
Centaur  logs  log  data? 
A  Correct . 

Q  So  you  didn ' t  review  all  the  Centaur  logs 

data  from  CENTCOM,    only  stuff  that  was  on  22  or  40 
machine? 

A  Correct . 

Q  It ' s  possible  there  was  transfer  from  the 

CENTCOM  to  the  T-drive;   you  would  have  no  idea? 
A  Correct . 

MR.   HURLEY:      Thank  you. 

THE  COURT :     All  right .      Temporary  or 
permanent  excusal? 

MR.   MORROW:      Temporary,    Your  Honor. 

THE  COURT:     Once  again,   Agent  Shaver,  the 
same  rules  apply.     You're  temporarily  dismissed. 

THE  WITNESS:      Thank  you,  ma'am. 

THE  COURT:     All  right.      I  assume  you  don't 
want  to  call  anymore  witnesses  today? 

THE  PROSECUTION:     Ma'am,    sticking  to  the 
proposed  trial  schedule  for  the  first  time,   yes,   we  do 
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not  want  to  call  anyone  else . 

United  States  recommends  recess  until 
tomorrow  morning  at   9:30.     We'll  call  the  next  witness, 
Special  Agent  Johnson. 

THE  COURT:     Any  objection? 

MR.   HURLEY:     No,   Your  Honor. 

THE  COURT:     Any  issues  before  we  recess  for 

the  court? 

MR.   HURLEY:     No,   Your  Honor. 
THE  PROSECUTION:     No,  ma'am. 
THE  COURT:      Court  is  recessed  until 
9:30  a.m.  tomorrow. 

(Court  adjourned.) 
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